d21ba5386b7f9f15f4cd1195b07520cd04e18732d7f79e63de68fa168f9fd18b

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Size

263KB
MD5

3fe5c195765933bc273cc32afc186e9d
SHA1

f9a85a75f46aadc8a1d5f00d260aafb0c9377634
SHA256

d21ba5386b7f9f15f4cd1195b07520cd04e18732d7f79e63de68fa168f9fd18b
SHA512

19b4a4fa8538ca989abae8275b199e505e3f3d8647fe5ecf491814ac6b285c4f8ff0a3719fb9854646a59ded3d53a7c382b717c132b86f4e86b1f7bec710a9e6
SSDEEP

3072:6LQ0S1wdTDmI2tozYy2NfLa+l/HIKJSsI+AlKlmiJqJy5IB0OUbS9CrOEBT:v0/oKYy2NfLZl/HjDJqJy5IB6C+Dp

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\3FE5C1~1.EXE,"	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FE5C1~1.EXE"	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\744df3b2 = "\x1cL\"‡\u0081B\rõâëéQ®é³œfE[4‚ï¢ûÍD'ÑÂö£ÓÆ0oyó`f,\aO)«?&TaMô>\x10~mg1]§\"6K‡1â{éÛý\x06<„œ%wüpì^\v\"\u0090'5{Â.ßžòJ}îbBêÚvœÒ§Õ\r\u009d.®²ÏuÇ=ìÿÿ•\|\x1dºß‚ÕÅïö‚ÿï6oæ$ÊŸ^5\u008d'Ý··&]bÒ\x1a\u00adfnlurÎ–-\u00ad.Ò§>Z.W\x0ffÆ\u00ad\u008d/4šm\x16&<·\x1f\x17—\x1frD\u009dV:E\x1e¥ŒæO\x1fµš¿'\x12\x0f.î•]E:¢V6L\x04Ÿ¾ï]$’_vfîµä·´ÊÅ&–Ú†Õô=ÊÏ\x12/¥\x1cÚ•ÄÎ\x0f’t–¾mg\x1fÖ%\u008dÍ7ö½Eeå†•"	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FE5C1~1.EXE"	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2144	3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-0-0x000000007EF40000-0x000000007EFA7000-memory.dmp

Filesize
412KB

Download
memory/2144-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-2-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2144-3-0x0000000002320000-0x00000000023D2000-memory.dmp

Filesize
712KB

Download
memory/2144-11-0x0000000002320000-0x00000000023D2000-memory.dmp

Filesize
712KB

Download
memory/2144-9-0x0000000002320000-0x00000000023D2000-memory.dmp

Filesize
712KB

Download
memory/2144-7-0x0000000002320000-0x00000000023D2000-memory.dmp

Filesize
712KB

Download
memory/2144-5-0x0000000002320000-0x00000000023D2000-memory.dmp

Filesize
712KB

Download
memory/2144-13-0x0000000002320000-0x00000000023D2000-memory.dmp

Filesize
712KB

Download
memory/2144-14-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2144-15-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-19-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-17-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-46-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-45-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-44-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-43-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-42-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-40-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-41-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-47-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-48-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-63-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-62-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-61-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-60-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-59-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-58-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-57-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-56-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-55-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-64-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-54-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-53-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-52-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-51-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-50-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-49-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-65-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-66-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-68-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-67-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-85-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-84-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-83-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-82-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-81-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-80-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-79-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-78-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-77-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-76-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-75-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-74-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-73-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-72-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-71-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-70-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-69-0x0000000002600000-0x00000000026B8000-memory.dmp

Filesize
736KB

Download
memory/2144-168-0x000000007EF40000-0x000000007EFA7000-memory.dmp

Filesize
412KB

Download
memory/2144-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download