19b0f67456ba06a7aa930555edd1aa7a67ecf4bec27b845c667208024acc4b37

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
Size

21KB
MD5

4b23ab3a4428e25786254ec757bcdbad
SHA1

f7a7bf4bbe6374028e85e4ef893dce5adcc410f3
SHA256

19b0f67456ba06a7aa930555edd1aa7a67ecf4bec27b845c667208024acc4b37
SHA512

cccaae98eb8ca7da0401a0b29a6c7d8f911ab2e76197b46ec6f2c6bad47ea466b0b3d68bdb8a594c50322d081e3fed06bdcf6cd211c18300e70180cda41afc17
SSDEEP

384:kRlT+dZoBsGfABMVD+cegEmffTXs/dSlnXnT7wMBt/Fr29P:u1yZoBAIDBtff4SRnTcQt9r

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\ntos.exe,"	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000014D00000-0x0000000014D0E000-memory.dmp	upx
behavioral1/memory/2400-5-0x0000000014D00000-0x0000000014D0E000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntos.exe	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntos.exe	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b23ab3a4428e25786254ec757bcdbad_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2400-0-0x0000000014D00000-0x0000000014D0E000-memory.dmp

Filesize
56KB

Download
memory/2400-5-0x0000000014D00000-0x0000000014D0E000-memory.dmp

Filesize
56KB

Download