a9fd6ec48f9951043fb07f2a1a8999452d1ecff564e91a67d6d0ee122b97163b

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
Size

255KB
MD5

4b0c0f3b145c47577afe2a4f00ab38b3
SHA1

29d075d0c7eb43e4454fc0542ca2a95bd2495856
SHA256

a9fd6ec48f9951043fb07f2a1a8999452d1ecff564e91a67d6d0ee122b97163b
SHA512

f9345ffaca67da0af1c9186fd0de8df06ecd6fc94e8defdbd780242bcecb998bbaad1d75604f05fef8c1897434f8b255ea0daa487f98acd5012c2f0da9830fd8
SSDEEP

6144:ONU2+2kcTBWUZxjCld3hRV2QsXSAaj4ijpFaQTQisa:ONRdpgdRRoTCD4ijpoix

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\4B0C0F~1.EXE,"	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4B0C0F~1.EXE"	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\1f205b9e = "L*Gœ¡¢\x1a\x03dz\x036>\u0081ë©êØç NRƒÄÏð)\x13Ô\x13\x12d:e\u00ad»â¢@%ô°Á•òBÆ¾ä\x0e}°éD\u00adšvoÏÏ#CÊá½ÃŸUÞWüòhŽº\nÚYŠƒA$+¼ù\x1f#‰©G/o¯÷/É0¯\bóÒ9\x0fïqZ±\agñ8Ïß—\x03:x°ùgg2™Ù\"ÈŸ+¨WPÑ’\x18W\t\x1f@qÓOñø7!\x0f\aÂÑyŠØÙ'Ç\u008fÛWà7:ˆ;{cÚ2é/™aÑS¨WÉ™ÙßÏGJ\x7fú\v·\u008fï¹0\u008f\x13h·\x13;C\x1b™\x17÷?_/©ù\x11áa÷ûJ˜O7§_72Ÿ©OW\u0081èßß÷¢\x197G\a’éù"	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4B0C0F~1.EXE"	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2080	4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b0c0f3b145c47577afe2a4f00ab38b3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2080-1-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2080-0-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2080-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-3-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2080-4-0x00000000023D0000-0x0000000002482000-memory.dmp

Filesize
712KB

Download
memory/2080-12-0x00000000023D0000-0x0000000002482000-memory.dmp

Filesize
712KB

Download
memory/2080-10-0x00000000023D0000-0x0000000002482000-memory.dmp

Filesize
712KB

Download
memory/2080-8-0x00000000023D0000-0x0000000002482000-memory.dmp

Filesize
712KB

Download
memory/2080-6-0x00000000023D0000-0x0000000002482000-memory.dmp

Filesize
712KB

Download
memory/2080-14-0x00000000023D0000-0x0000000002482000-memory.dmp

Filesize
712KB

Download
memory/2080-15-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/2080-20-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-19-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-16-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-48-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-47-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-46-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-42-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-45-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-44-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-43-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-49-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-50-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-51-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-52-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-81-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-70-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-53-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-86-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-85-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-84-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-83-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-82-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-80-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-79-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-78-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-77-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-76-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-75-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-74-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-73-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-72-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-71-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-69-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-68-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-67-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-66-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-65-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-64-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-63-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-62-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-61-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-60-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-59-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-58-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-57-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-56-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-55-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-54-0x0000000002590000-0x0000000002648000-memory.dmp

Filesize
736KB

Download
memory/2080-170-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2080-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download