b48bc535a628bd953a27f45d4412d4b73818f536eddb10ca93e828ad56965653

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
Size

265KB
MD5

48fb012bc40a8466e6584b48f368bb77
SHA1

9a8a71b47cc5c6a334199dd15b8acbef00d56b00
SHA256

b48bc535a628bd953a27f45d4412d4b73818f536eddb10ca93e828ad56965653
SHA512

a4541f2e4728ccc5a1cc9f4829ef37cd988180153404a113686d2fcf0818a8fa05b44afacc21b3b58092fca84a0a02fc5149253e0b01e7b4ab7070aaa007c093
SSDEEP

6144:N0k8qY0eoQYdu8XfNRraPrvEQw6ragCBVUi:NOxwu8XGv1VagUF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\48FB01~1.EXE,"	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48FB01~1.EXE"	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\f094643f = "H›¡r&ÞKª÷\fÂD\x16Ó6ë\x1d¡Ù\x03¡\x03öµ9\u008d#ãIžê”VÊ²5m{ãßño].\x03Šó%T"	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48FB01~1.EXE"	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
Token: SeSecurityPrivilege	2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
Token: SeSecurityPrivilege	2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
Token: SeSecurityPrivilege	2392	48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48fb012bc40a8466e6584b48f368bb77_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2392-0-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2392-1-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2392-2-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2392-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2392-14-0x00000000025C0000-0x0000000002672000-memory.dmp

Filesize
712KB

Download
memory/2392-12-0x00000000025C0000-0x0000000002672000-memory.dmp

Filesize
712KB

Download
memory/2392-10-0x00000000025C0000-0x0000000002672000-memory.dmp

Filesize
712KB

Download
memory/2392-8-0x00000000025C0000-0x0000000002672000-memory.dmp

Filesize
712KB

Download
memory/2392-6-0x00000000025C0000-0x0000000002672000-memory.dmp

Filesize
712KB

Download
memory/2392-4-0x00000000025C0000-0x0000000002672000-memory.dmp

Filesize
712KB

Download
memory/2392-15-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2392-20-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-18-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-16-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-43-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-42-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-44-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-45-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-71-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-46-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-86-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-85-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-84-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-83-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-82-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-81-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-80-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-79-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-78-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-77-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-76-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-75-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-74-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-73-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-72-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-70-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-69-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-68-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-67-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-66-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-65-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-64-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-63-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-62-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-61-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-60-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-59-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-58-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-57-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-56-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-55-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-54-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-53-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-52-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-51-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-50-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-49-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-48-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download
memory/2392-47-0x0000000002780000-0x0000000002838000-memory.dmp

Filesize
736KB

Download