b1081c66b230ec4dd739005021dfb2d0a1dda1acdc6692453ab0e98342657029

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe
Size

48KB
MD5

47f0f840fc693aaffaf9f7e683990f65
SHA1

d4e3d61709739e07653be4cf3b67ebc1fc7dc52d
SHA256

b1081c66b230ec4dd739005021dfb2d0a1dda1acdc6692453ab0e98342657029
SHA512

36c032722a12ca8199f32cd618cecbe5b258cc9810ea702bf4b103b710b64ce82844d1a972e39225a6d90bbe05e60eb7033f5fd7750750d937799b64b2667843
SSDEEP

768:E0699fnwTA0EAcJxnlYEgFegP4JtGfihzziiKcnw9shSLrIpJKZa:MGWJxnKXFrgJtGa1eiLw9j8pkZa

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1872	rundll32.exe
1704	rundll32.exe

Modifies WinLogon 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\DllName = "C:\\Windows\\system32\\__c0025CB1.dat"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Impersonate = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Asynchronous = "1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\DllName = "C:\\Windows\\system32\\__c0025CB1.dat"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Asynchronous = "1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Startup = "B"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Logon = "B"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Startup = "B"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0025CB1\Logon = "B"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__c0025CB1.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\__c0025CB1.dat	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1872	2524	47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe	30
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31
PID 1872 wrote to memory of 1704	1872	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe.dat",E
  2⤵
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\__c0025CB1.dat",B
    3⤵
    - Loads dropped DLL
    - Modifies WinLogon
    - Suspicious behavior: EnumeratesProcesses
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47f0f840fc693aaffaf9f7e683990f65_JaffaCakes118.exe.dat

Filesize
35KB

MD5
254e736463add1ddec5111e4a90cbdd9

SHA1
845aea321e6cbdff3901b005b2d5049b6253b08f

SHA256
45766bd5e858296a43870facecc8e4e3af65bc928ca3ea797bb23462d6cd5810

SHA512
e5a57e7bd5c798d49880a7b291bd9c9cae87543ef312ef6fc2d3e20393146843f928d77b4b8965c4aa025c781aee0f90648992977e428c35efd88b68fcf297d2

Download Submit
memory/1704-8-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/1704-10-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/2524-0-0x0000000000400000-0x000000000040E9D6-memory.dmp

Filesize
58KB

Download
memory/2524-1-0x0000000001C00000-0x0000000001D00000-memory.dmp

Filesize
1024KB

Download
memory/2524-9-0x0000000000400000-0x000000000040E9D6-memory.dmp

Filesize
58KB

Download