a4746ef8fc8e01917812d7cdac113f3e7f019552e377c5deaf4ff6e67c07a03a

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe
Size

171KB
MD5

4b989853f7beada4dfd256b291cc1e91
SHA1

83e9d9882f08d89f8fc27eb85e83106b604454ba
SHA256

a4746ef8fc8e01917812d7cdac113f3e7f019552e377c5deaf4ff6e67c07a03a
SHA512

d11147350f3c922eaeba9acc24e2c86a18f2fe444618d392f68121f59e0db60b343b49d6edc329d8ea2910d8d837e239ee71c245f9cdbebb6793ec3de10cd11a
SSDEEP

3072:YUftOL184ayOtCJPBwYPkNYzrOI9QFTe/28kinNJwfcmtKzEIt4e/r3fTy3OJjRl:/ftOLm4AtC/w24YrOSQVrniycmtKAw4S

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\B56CC\\1D064.exe"	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/32-1-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/32-2-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4448-12-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/32-14-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4084-131-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4084-132-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/32-133-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/32-233-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/32-288-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4448	32	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe	86
PID 32 wrote to memory of 4448	32	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe	86
PID 32 wrote to memory of 4448	32	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe	86
PID 32 wrote to memory of 4084	32	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe	87
PID 32 wrote to memory of 4084	32	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe	87
PID 32 wrote to memory of 4084	32	4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe startC:\Program Files (x86)\LP\64EB\4F4.exe%C:\Program Files (x86)\LP\64EB
  2⤵
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4b989853f7beada4dfd256b291cc1e91_JaffaCakes118.exe startC:\Program Files (x86)\CC971\lvvm.exe%C:\Program Files (x86)\CC971
  2⤵
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B56CC\C971.56C

Filesize
996B

MD5
4b59be1ed516ac6c791098abffff4d9f

SHA1
6d7d327cdc5a8c0353620de1e4e3c2070eae0ccd

SHA256
5bee3566e8d1b188d24eb2c4f8808e0e90462d97483f5f88883e1e4a09db2b5f

SHA512
14a2a0fcb29eb7c2893f72b4908f8d69f5d8e537c6541b2a91f2ff0953b43118ab46106cbea20526542d42c1003648082b415273c03ab710a19cfb75416ca97b

Download Submit
C:\Users\Admin\AppData\Roaming\B56CC\C971.56C

Filesize
600B

MD5
7172c39c9c8594b3614587f4a368ffb2

SHA1
e8a77d67b4c42dec42cc4832a678ea95d84b88c1

SHA256
721272f5314bd0e6645bcf0e321746a38b181c00ee4036a1dd99afc86f5a19a5

SHA512
34a0ece03eda2263c8304f9283238484aa1b9075b00589b309596eb4540a5f8aa2fe889e033a99aff2da312004c2dc4f0bfae78057ff97863db6a527d0f5d66a

Download Submit
C:\Users\Admin\AppData\Roaming\B56CC\C971.56C

Filesize
1KB

MD5
6b951e98c77a354464305ec763afb5fc

SHA1
e6f6443fa7e5099932114e04eead8ccbf51af0fc

SHA256
5fd4e2358481906b86ad721111207aace9c7f76fb3b0b43066035570cb990615

SHA512
9dbb365fe008563c6a12b86b34e5c8761fb14fd3b1da3c955a0e265dc07cefc9dc0154e44e3b63f3131d78bfcc7fd2b08facbcfdc989c632ba69cb482b151eb0

Download Submit
memory/32-1-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/32-2-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/32-14-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/32-133-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/32-233-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/32-288-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4084-131-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4084-132-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4448-12-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads