53be3a39c7340867acd254e93d3439a765f385b28e196da8528320d80aec5fff

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Size

253KB
MD5

60083ddea451dbae2ab2b7f92ddd2ce0
SHA1

25f0d4515926b9081e4741362a6fbe89a2565b88
SHA256

53be3a39c7340867acd254e93d3439a765f385b28e196da8528320d80aec5fff
SHA512

6d7ceb4f7c8dd5698efe9fd5b76ed0a7abaf3fb9fbbe1fcf3105799185f41e492c5db45c1bb3d0f3588e17bd032ef0563fe1d62f042fa4f15afdb9e279cdbb79
SSDEEP

6144:Aj89h36jLTfrPXGxxkDal4jZUNesLT91omGSSG4u2WOMNOsPaU7:7yTjOxa0+ZdsLTLGJC2WNYrU7

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\60083D~1.EXE,"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60083D~1.EXE"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fe06fdda = "Ax^È\x0eûŒ\x05®³™×ìäê\x03zR`Oé\x1b¢ZÝ=\x1bÖZ^\x01ãŠN:Ö,ŠõÆþ\x7fgJI\x17ÖC÷³€÷ïðDí\|\x1fnÊ©vˆ}Ó\x1aÓð³8,39Ë…\x7fÂ¿H\x1al÷R\x10m¾¦ÖºIN\fM1\x1a2\x14¾J}\x0e\x12\x02Òqfb\x02}®êIjõ\|:é¶œú\x0ez\"¾öŽÂvê6r\x12N2^†šÒú\u00adU\u009dRb–1º\x16Iê‚¢eÅ\x1ajF9uFž>üzª¦ÎŠ¬j-òæB9^†®Ä®ÍÂºNÅ\x05V~Ñ4ìZ¶J\næ¶¶FuZÔ†á\u0081ú>Õ&\x16FtQÒvÊ²–vÙÂR\x1afæVâE´Ý^á™ñ\nÁUUÎnªBr\x16î\x14µBêÂ=úª†\x1aZ"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60083D~1.EXE"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Token: SeSecurityPrivilege	2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Token: SeSecurityPrivilege	2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Token: SeSecurityPrivilege	2172	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-0-0x00000000006F0000-0x0000000000752000-memory.dmp

Filesize
392KB

Download
memory/2172-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2172-2-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2172-5-0x0000000003480000-0x0000000003532000-memory.dmp

Filesize
712KB

Download
memory/2172-3-0x0000000003480000-0x0000000003532000-memory.dmp

Filesize
712KB

Download
memory/2172-13-0x0000000003480000-0x0000000003532000-memory.dmp

Filesize
712KB

Download
memory/2172-11-0x0000000003480000-0x0000000003532000-memory.dmp

Filesize
712KB

Download
memory/2172-9-0x0000000003480000-0x0000000003532000-memory.dmp

Filesize
712KB

Download
memory/2172-7-0x0000000003480000-0x0000000003532000-memory.dmp

Filesize
712KB

Download
memory/2172-14-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2172-15-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-17-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-19-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-44-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-47-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-85-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-84-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-83-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-82-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-81-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-80-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-79-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-78-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-77-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-75-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-74-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-73-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-72-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-71-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-70-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-69-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-68-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-67-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-66-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-65-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-64-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-63-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-62-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-61-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-60-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-59-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-58-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-57-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-56-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-55-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-54-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-52-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-51-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-50-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-49-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-48-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-46-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-45-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-76-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-43-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-42-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-41-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-53-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-40-0x0000000003640000-0x00000000036F8000-memory.dmp

Filesize
736KB

Download
memory/2172-168-0x00000000006F0000-0x0000000000752000-memory.dmp

Filesize
392KB

Download
memory/2172-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download