dbe8d13f7390d73bd5ca03eb74522c6ebfd93aa46659987c23aa93ef5e13193e

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 06:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe
Size

83KB
MD5

2f4d8532a232fb9f4d87d68a26b1b094
SHA1

01a3dbd21d7780f4d7bce2e68a74f4e0b151b4ee
SHA256

dbe8d13f7390d73bd5ca03eb74522c6ebfd93aa46659987c23aa93ef5e13193e
SHA512

771b07de41fd746dc2d62a8ab96a12d442953ad97c886b37ef5bd64c3000018a5bbf54142a90430d4dc31bb92e2893c4996845f399bae459aa3241ad23b6c758
SSDEEP

1536:YQxqcQu01TZlgkcgZYdfVCydmtXOd4fLJj3jWj:X/0zlgNgZY5VCpW4DJWj

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\twext.exe,"	1seC5A2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2547232018-1419253926-3356748848-1000\Control Panel\International\Geo\Nation	2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	1seC5A2.exe
4640	1seC5A2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234b3-4.dat	upx
behavioral2/memory/2144-11-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2144-23-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\twext.exe	1seC5A2.exe
File created	C:\Windows\SysWOW64\twext.exe	1seC5A2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2144 set thread context of 4640	2144	1seC5A2.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4640	1seC5A2.exe
4640	1seC5A2.exe
4640	1seC5A2.exe
4640	1seC5A2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	1seC5A2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2144	1seC5A2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2144	4724	2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe	85
PID 4724 wrote to memory of 2144	4724	2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe	85
PID 4724 wrote to memory of 2144	4724	2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe	85
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 2144 wrote to memory of 4640	2144	1seC5A2.exe	86
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5
PID 4640 wrote to memory of 616	4640	1seC5A2.exe	5

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f4d8532a232fb9f4d87d68a26b1b094_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\1seC5A2.exe
  "C:\Users\Admin\AppData\Local\Temp\1seC5A2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\1seC5A2.exe
    "C:\Users\Admin\AppData\Local\Temp\1seC5A2.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1seC5A2.exe

Filesize
59KB

MD5
862632f20212e84cb29ba64d97e1af61

SHA1
abdfb60173ffaa686aba6cc26a87a0e4eeb3f422

SHA256
127ab173aafaa4aadfafb0017c28a9e62c4cf31c48c1e6e2d873c7c4e9fc0d6c

SHA512
d97ebe3ce1988ac81ea4bf81cada9951c3a54b7b708c34e2d507a0d33a3e5032966563cf35c9657662deb52e30e4cb08d117bea27af0cada670ac205fdb04e9a

Download Submit
memory/616-64-0x00000000094F0000-0x0000000009516000-memory.dmp

Filesize
152KB

Download
memory/616-39-0x0000000009400000-0x0000000009426000-memory.dmp

Filesize
152KB

Download
memory/616-88-0x00000000095E0000-0x0000000009606000-memory.dmp

Filesize
152KB

Download
memory/616-43-0x0000000009430000-0x0000000009456000-memory.dmp

Filesize
152KB

Download
memory/616-83-0x00000000095B0000-0x00000000095D6000-memory.dmp

Filesize
152KB

Download
memory/616-78-0x0000000009580000-0x00000000095A6000-memory.dmp

Filesize
152KB

Download
memory/616-73-0x0000000009550000-0x0000000009576000-memory.dmp

Filesize
152KB

Download
memory/616-48-0x0000000009460000-0x0000000009486000-memory.dmp

Filesize
152KB

Download
memory/616-33-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/616-69-0x0000000009520000-0x0000000009546000-memory.dmp

Filesize
152KB

Download
memory/616-53-0x0000000009490000-0x00000000094B6000-memory.dmp

Filesize
152KB

Download
memory/616-58-0x00000000094C0000-0x00000000094E6000-memory.dmp

Filesize
152KB

Download
memory/2144-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2144-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4640-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-25-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-27-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-28-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4640-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4724-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download