d844b060afe3c2aff884c1ac3178a6a7ed03478d6be641c54efc6cd5957c3d53

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe
Size

380KB
MD5

29dd3e66171031e3c8c770db8d3f9415
SHA1

cb8944854c1beb9f5cfa9aeffbb910c436201776
SHA256

d844b060afe3c2aff884c1ac3178a6a7ed03478d6be641c54efc6cd5957c3d53
SHA512

a0ab5294a10b5369e4f36c107086121c3080ca539b2f93c322f8c806dd6dc59183e8b99e0eb45e8fa549bfc2f69d14551f50ffa45b79706c760850e6ea6481d4
SSDEEP

6144:ZBPu1qF2idZecnl20lHRxp3gclk9ihl0/srEQpPK+e1FtEuxF+U2/kU:61mF3Z4mxxPoEtlK+kt9T2MU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\rejoice.exe"	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2124	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rejoice.exe	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rejoice.exe	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rejoice.dll	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rejoice.dll	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Deleteme.bat	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2444	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2444	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2444	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2444	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	30
PID 2360 wrote to memory of 2124	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2124	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2124	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	31
PID 2360 wrote to memory of 2124	2360	29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\29dd3e66171031e3c8c770db8d3f9415_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\program files\internet explorer\iexplore.exe
  "C:\program files\internet explorer\iexplore.exe"
  2⤵
  PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Deleteme.bat
  2⤵
  - Deletes itself
  PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
212B

MD5
ebb254d17c2f71cb29c429a5c78b5a2b

SHA1
89a35165dad9b1da43ea821613e3e951f70816b8

SHA256
62f2c616aa512d2cdb339ce16cf53a739970aca740854ec4868b1bbe75a953f0

SHA512
5132d730233472dfc1236879a70524f70ead21dc2b4158cd01568fe4844bb37268000e2b5181c58f7e8f19f70199e86853d5984993cd4c302a3bfbdc57778265

Download Submit
memory/2360-13-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/2360-11-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2360-24-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/2360-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2360-23-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2360-1-0x00000000002C0000-0x0000000000314000-memory.dmp

Filesize
336KB

Download
memory/2360-12-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2360-21-0x0000000003190000-0x0000000003290000-memory.dmp

Filesize
1024KB

Download
memory/2360-10-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/2360-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2360-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2360-7-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2360-6-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/2360-5-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download