Analysis
-
max time kernel
3s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 07:52
Static task
static1
Behavioral task
behavioral1
Sample
5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Errors
General
-
Target
5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe
-
Size
88KB
-
MD5
5fa3d4b37a24b2942915e5cdf890a738
-
SHA1
210e306e0bea6b7a1b38c479949ea2a8caa641e6
-
SHA256
3fe56ddc331987f577b8ca255a4ce1614644a6ed91f2b469ce9f07cf7a187c2c
-
SHA512
578cd90fc7225d93f9a6053078eb8ee7deaff94b60aa7d576e07b4874e2ac15500dd70de7e757e03a7e4f63e843be7e3999ebe17c004dcd56584f2c4d4d2a185
-
SSDEEP
1536:Vnpo+QCJAENdnsSIsfGW9lV258KUwkNdyK6nB1DGlEEEC7xZopSluTHT9KoTJlIU:VnpKrUQsfGWLV+Ub0K6nB1DGlBEC7oEG
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\awunywg.dll 5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1840 5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 400 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fa3d4b37a24b2942915e5cdf890a738_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3999055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:400