f5a6f68917e80b40f242deaac1047997dc78dc31489f834d037b313ef648e3bc

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
Size

211KB
MD5

244edd040695387dfbe1e7bb5f3bafd3
SHA1

b95a9ba700ae3e6585414706c0fff7dfa47a856b
SHA256

f5a6f68917e80b40f242deaac1047997dc78dc31489f834d037b313ef648e3bc
SHA512

5f2e68c004148d9a4c497286cee2b729ced6e9033aaae0c4b3b64575db56a9051856cae5e1a5c0b37049efbccd0fb88876a25118842e46bff324d67ddf30924e
SSDEEP

3072:6GwPsm1VrwxOsf0juzv8j4P1Hr6krr4IEhx9QZe2gO9mG9UHA30Vt3E/vDjb:6G/iVkO20SFgBhxtW9mG9+Umt3Ezjb

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
360	svchost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\62979b92 = "F‘¡D¶qêZLØ\x1aBŸ\x1f;¤ó\x18Õ\x1f\x1c9Í-âh±€NŸSuGo½³ß×Ö}Õ\v\f+G\u008fv\x1b\x16×_\x0e<¯Í=“ßÔ\x14Ä”V\x17$Å->uÃÖ\x13O§]öSs\u00ad\u00ad\x17ÃŽT\x05‡þ[>\x0f\a\v\x05\u008f¤%Ÿ>E+K\x1dWëÛµ¶\vS,öþÎu#ý{ÅSlçw\|Î^3ël\x14ƒ¯®\u008dû\aí¥%Ó\x17¶‡ŽM\rc›MýÅ+×C–Ëöf¾Å\x13ÿ\x0fW\u009dLôs\x1dõôåoÿ7\x1c†C÷»–½÷<ÏÅï»ÛçžŒ{\u00adÅl\x05\aÇ•/\x7fG—”\vG\x1dC\u00add„¼\x03¯§W\u009dCK\x03Õå„\u009dw¯ýÓÿ/\x0e3í‹f—§#m¦œç_žÆW3=\u008f§ütm}Uƒ•\x1ftw"	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\62979b92 = "F‘¡D¶qêZLØ\x1aBŸ\x1f;¤ó\x18Õ\x1f\x1c9Í-âh±€NŸSuGo½³ß×Ö}Õ\v\f+G\u008fv\x1b\x16×_\x0e<¯Í=“ßÔ\x14Ä”V\x17$Å->uÃÖ\x13O§]öSs\u00ad\u00ad\x17ÃŽT\x05‡þ[>\x0f\a\v\x05\u008f¤%Ÿ>E+K\x1dWëÛµ¶\vS,öþÎu#ý{ÅSlçw\|Î^3ël\x14ƒ¯®\u008dû\aí¥%Ó\x17¶‡ŽM\rc›MýÅ+×C–Ëöf¾Å\x13ÿ\x0fW\u009dLôs\x1dõôåoÿ7\x1c†C÷»–½÷<ÏÅï»ÛçžŒ{\u00adÅl\x05\aÇ•/\x7fG—”\vG\x1dC\u00add„¼\x03¯§W\u009dCK\x03Õå„\u009dw¯ýÓÿ/\x0e3í‹f—§#m¦œç_žÆW3=\u008f§ütm}Uƒ•\x1ftw"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe
360	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 360	2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe	82
PID 2800 wrote to memory of 360	2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe	82
PID 2800 wrote to memory of 360	2800	244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\244edd040695387dfbe1e7bb5f3bafd3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3NQFXGDW\login[2].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Users\Admin\AppData\Local\Temp\251A.tmp

Filesize
593B

MD5
926512864979bc27cf187f1de3f57aff

SHA1
acdeb9d6187932613c7fa08eaf28f0cd8116f4b5

SHA256
b3e893a653ec06c05ee90f2f6e98cc052a92f6616d7cca8c416420e178dcc73f

SHA512
f6f9fd3ca9305bec879cfcd38e64111a18e65e30d25c49e9f2cd546cbab9b2dcd03eca81952f6b77c0eaab20192ef7bef0d8d434f6f371811929e75f8620633b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2969.tmp

Filesize
1KB

MD5
a0a8e9c3671bc2ab66054b096790675e

SHA1
d9f969cf6868b9c05739db308a047f989ce13827

SHA256
dd02213503f3a3d2c7ae2cfdca69ac475884f1aee355ce8c53c113ff80f61ed8

SHA512
e201fa979bdc1835a9a629296618483a25d80f7c620d6e24e355a4d98612945b226a6dd515e3d3924efc975f5ac4285c4b139d5074a8351fcc03a05619b871bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\52AA.tmp

Filesize
481B

MD5
21bd5d3a9c5e64bba2719850fddba97f

SHA1
457f86e2c679dbcd7f8950c9a722461ca3e9691b

SHA256
901d311ae0884bc66d62dc664a36be0c4286029ad508910c4af8e3225d8b23d8

SHA512
7bfa461803f8f883d06f98e8732f06e95eb1179f24e2d640b337daf524b1330807d200491e7203b54af533f875a3c8ab27cbd231ce4bbe057d6779578867e8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5329.tmp

Filesize
42KB

MD5
c62ac2828d6432afd32f8ba64c98d9d7

SHA1
7f68ab0c0c2a3de73b0645c70246273787f067d9

SHA256
ba3daba9204fa404b47bb778410f4b9681f3fd02e0d41cdb14ce345061ad128a

SHA512
b2f39d3c13f1f6e1f8da417899ec5028a83f1e9a30b4340cd5cc3b39734817dbd3103546fcd9dd7d330558e77152e6f323f68bcd7b241bdfbaf352f18475b72c

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
211KB

MD5
b28e03cd84afa217caa5e00806e4019a

SHA1
aa252b3e31abfbfe8ef88cb2cd3db4995bde026f

SHA256
e8f824b8ac85a75292845fdfdde78b19a159ee54e5218d7b49408ed6305873d8

SHA512
80b3091e52e16920dc13a627fd0ed1ac7977d33f3f586e3127cc7afa6000d1221b1450b673d9b1792f81994f4d333aa640ac503ab3305834a16d0d15d660effb

Download Submit
memory/360-55-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-52-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-13-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/360-19-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/360-20-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-22-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-24-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-25-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-79-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-78-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-77-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-76-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-75-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-74-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-73-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-72-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-70-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-69-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-68-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-67-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-66-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-65-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-64-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-63-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-62-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-61-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-60-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-59-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-58-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-56-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-16-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/360-54-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-53-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-49-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-17-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/360-50-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-51-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-48-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-47-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-45-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-44-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-43-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-41-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-39-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-37-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-36-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-35-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-34-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-33-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-32-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-31-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-30-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-29-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-27-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-26-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-71-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-57-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-46-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-42-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-40-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-38-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-28-0x0000000002FB0000-0x0000000003066000-memory.dmp

Filesize
728KB

Download
memory/360-18-0x0000000002E00000-0x0000000002EA8000-memory.dmp

Filesize
672KB

Download
memory/2800-0-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download
memory/2800-2-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2800-1-0x0000000002360000-0x00000000023B1000-memory.dmp

Filesize
324KB

Download
memory/2800-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2800-14-0x0000000002360000-0x00000000023B1000-memory.dmp

Filesize
324KB

Download
memory/2800-11-0x0000000000400000-0x00000000005B8000-memory.dmp

Filesize
1.7MB

Download