Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 02:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Resource
win7-20240704-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Resource
win10v2004-20240709-en
5 signatures
150 seconds
General
-
Target
3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
-
Size
263KB
-
MD5
3fe5c195765933bc273cc32afc186e9d
-
SHA1
f9a85a75f46aadc8a1d5f00d260aafb0c9377634
-
SHA256
d21ba5386b7f9f15f4cd1195b07520cd04e18732d7f79e63de68fa168f9fd18b
-
SHA512
19b4a4fa8538ca989abae8275b199e505e3f3d8647fe5ecf491814ac6b285c4f8ff0a3719fb9854646a59ded3d53a7c382b717c132b86f4e86b1f7bec710a9e6
-
SSDEEP
3072:6LQ0S1wdTDmI2tozYy2NfLa+l/HIKJSsI+AlKlmiJqJy5IB0OUbS9CrOEBT:v0/oKYy2NfLZl/HjDJqJy5IB6C+Dp
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\3FE5C1~1.EXE," 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FE5C1~1.EXE" 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\24fb34de = "\x11\x1f•ZF\båÌÞ`-\x0f˜‹+†m…ˆ(5\r0ã\u008d\x0e\u00ad‹yá\x12hâaz\t¤8'FÛIÞ\x14ç\x16´7Ÿ’H®\x01Y¶¬xk_bÈáT ³fv]KÁ)$\u0081" 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FE5C1~1.EXE" 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe Token: SeSecurityPrivilege 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe Token: SeSecurityPrivilege 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe Token: SeSecurityPrivilege 3512 3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3fe5c195765933bc273cc32afc186e9d_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512