5c6e67b130f533086fa59e75e9107352331c9e36b3c6cad0de6e49bb3b4f9a8f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 20:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
Size

265KB
MD5

3aac26b619365fdb3f420e258387374e
SHA1

3f16d7896808e02992ed5fca9db6de963343e7e3
SHA256

5c6e67b130f533086fa59e75e9107352331c9e36b3c6cad0de6e49bb3b4f9a8f
SHA512

a23082879b651e4162e7630c3e4efa8e8a528c9403f3f6cbca3a3d96eb8992bd0f0e409e2b4764a22a563c6914e385fb022b4ced6981f54639c86421a759d460
SSDEEP

6144:dH4Tmfn8dMwBnVpV21WBMA41aZcCfZ34+rDLr:d6m85nXV21Wi1aZPh3ZH

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\3AAC26~1.EXE,"	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3AAC26~1.EXE"	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\e03985b8 = "B‹àœÛ¸“R\fÀ-±\x11^FhxÑõ5Œ\|í4Nb…@\rüÌDáý\\øX\x7f#!ûGÕ%3JJÿÕS?K¾>\nì{„\x15¢D{¢F5\|Ûß°‡\x12”r˜¶yÃ\x10È\u008dç\x19!w÷\u008d„yýàb2*•Q\x11Ù`”ñÝðª\x11\x10qd™Uà!A¹ù’@í€ì²™\f\u00ad\\Ù•\\ÌqìD‰áI¢¬Úü€¤øt°ÏBôšÕx,leX-¡t§ŒU!(\u0090G\x1c@L¤ìü\x195gÑhT,\t9\b‘Yà-àØà\bXÙ\x0f5”ùºý—\tÚ´u\tÊ¿¼ä\|OX\\½äÜð\bAÑÉ\x18 ÌÄ´‘g”º1À(ñ”j\f\a’¹\x18˜âù$]œÒxºgê±?"	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3AAC26~1.EXE"	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2636	3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3aac26b619365fdb3f420e258387374e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-0-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2636-1-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/2636-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2636-5-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2636-4-0x0000000002780000-0x0000000002832000-memory.dmp

Filesize
712KB

Download
memory/2636-3-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2636-6-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-8-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-10-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-69-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-71-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-118-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-117-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-116-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-115-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-114-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-113-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-112-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-111-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-110-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-109-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-108-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-107-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-106-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-105-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-104-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-103-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-102-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-101-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-100-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-99-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-98-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-97-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-96-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-95-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-93-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-92-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-91-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-90-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-89-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-88-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-87-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-86-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-85-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-84-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-83-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-82-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-81-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-80-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-79-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-78-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-76-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-75-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-74-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-73-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-72-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-70-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-68-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-67-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-66-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-94-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-65-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-77-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-64-0x0000000002940000-0x00000000029F8000-memory.dmp

Filesize
736KB

Download
memory/2636-193-0x000000007FDE0000-0x000000007FE49000-memory.dmp

Filesize
420KB

Download
memory/2636-194-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download