812393c0a782bd688192a8a2558d48c79cf3ab5b568414817ac19c8c8336919d

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
Size

266KB
MD5

45f535c3146383fb915b6464a2897297
SHA1

6fe30f6a2e0ef5073ab8cd28894bd250af2a4bcd
SHA256

812393c0a782bd688192a8a2558d48c79cf3ab5b568414817ac19c8c8336919d
SHA512

8dd5d4a17ee1021d25ffbb0abd98e7a5250c44a50c2ffec6b8f0a371c0bf84bce2f11412c9e78082b867cfc63c1b2c092525678b394716145de75c3d55e0d8d8
SSDEEP

3072:NW/1lqNqAoPJl+Q7fFOPLfie9rHbK5pWsl8bnDZNnZRfs6pCWtKU7xTVKpfo5Utn:grDPSgFCqiXIQ28bDr5trKpfo5aoo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\45F535~1.EXE,"	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\45F535~1.EXE"	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ff23226f = "M}ëb\|ÕL+Å\aZ+'`…\x17\x06‰#™\x05÷ëKà\x13¹\|„µJ]‘úââéÅ%Ôâ3WÄ\tÕ\u0081S‡SA\t\x05•\b3¾¼wÊÙ&¦”!.6;QGwéZgêÛ\x15)¡xàe0Ëf\x16··\x7f–7îÙ®ÑŸøç°–f±?\bG?\x17ð\u00a0I\x10\x7f ÑV·\x18\x19¨†\x16"	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\45F535~1.EXE"	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
Token: SeSecurityPrivilege	2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
Token: SeSecurityPrivilege	2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
Token: SeSecurityPrivilege	2604	45f535c3146383fb915b6464a2897297_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\45f535c3146383fb915b6464a2897297_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45f535c3146383fb915b6464a2897297_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-0-0x00000000022C0000-0x0000000002314000-memory.dmp

Filesize
336KB

Download
memory/2604-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2604-13-0x00000000024A0000-0x0000000002552000-memory.dmp

Filesize
712KB

Download
memory/2604-11-0x00000000024A0000-0x0000000002552000-memory.dmp

Filesize
712KB

Download
memory/2604-9-0x00000000024A0000-0x0000000002552000-memory.dmp

Filesize
712KB

Download
memory/2604-7-0x00000000024A0000-0x0000000002552000-memory.dmp

Filesize
712KB

Download
memory/2604-5-0x00000000024A0000-0x0000000002552000-memory.dmp

Filesize
712KB

Download
memory/2604-3-0x00000000024A0000-0x0000000002552000-memory.dmp

Filesize
712KB

Download
memory/2604-14-0x0000000000400000-0x00000000005BA000-memory.dmp

Filesize
1.7MB

Download
memory/2604-15-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-17-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-19-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-45-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-57-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-40-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-41-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-70-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-43-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-80-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-42-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-44-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-86-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-85-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-84-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-83-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-82-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-81-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-79-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-78-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-77-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-76-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-75-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-74-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-73-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-72-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-71-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-69-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-68-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-67-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-66-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-65-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-64-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-63-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-62-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-61-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-60-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-59-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-58-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-56-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-55-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-54-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-53-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-52-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-51-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-50-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-49-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-48-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-47-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-46-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2604-168-0x00000000022C0000-0x0000000002314000-memory.dmp

Filesize
336KB

Download
memory/2604-236-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download