53be3a39c7340867acd254e93d3439a765f385b28e196da8528320d80aec5fff

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Size

253KB
MD5

60083ddea451dbae2ab2b7f92ddd2ce0
SHA1

25f0d4515926b9081e4741362a6fbe89a2565b88
SHA256

53be3a39c7340867acd254e93d3439a765f385b28e196da8528320d80aec5fff
SHA512

6d7ceb4f7c8dd5698efe9fd5b76ed0a7abaf3fb9fbbe1fcf3105799185f41e492c5db45c1bb3d0f3588e17bd032ef0563fe1d62f042fa4f15afdb9e279cdbb79
SSDEEP

6144:Aj89h36jLTfrPXGxxkDal4jZUNesLT91omGSSG4u2WOMNOsPaU7:7yTjOxa0+ZdsLTLGJC2WNYrU7

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\60083D~1.EXE,"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60083D~1.EXE"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\60083D~1.EXE"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\aec08a11 = "â^¨\|O1lÚ\x18¥\u008d[Â%Ð`DF:-ßØ`\u00a00ÒOJí])Yd\b¨ìtwÂe\r©-¨aêbfàËîOë‘\x1e\x1bÊ:<}M\b†\x0f\\Ôö›x\rð-â¸x\x13\x12\x12\x06\x1c\")&\x14´dNÑV\x13„œ\x01ô)YÁ\x7f\tô4\x11c^\u008fc,œf\u0081¤ÄälÌ\x13\x19ik¶\x16‰÷?‰ÔA4\x19\x19ži¼ô\\!¬ù¤”\x1cv;llœd&\x1c\v©–\|\x1b†ƒ\flÔÜ\x1cqÔ4\x14F1\x04gYÔû~ókÁülÔÎÌ1{\\{c\x7fT>~\x14\x14Qñ[\\4YÑƒ©Sq!ô,6\x01“äÆD¼“~!‘7ó)ñ3L<¤Nql[L)\fÎW\x139\x0f«\x14\x03¤IkÌS¬o‰Ñ;Q!üf”L¼/LÜ"	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Token: SeSecurityPrivilege	4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Token: SeSecurityPrivilege	4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
Token: SeSecurityPrivilege	4100	60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60083ddea451dbae2ab2b7f92ddd2ce0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4100-0-0x0000000002680000-0x00000000026E2000-memory.dmp

Filesize
392KB

Download
memory/4100-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4100-2-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/4100-3-0x0000000002710000-0x00000000027C2000-memory.dmp

Filesize
712KB

Download
memory/4100-4-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/4100-5-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-7-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-9-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-58-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-57-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-65-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-112-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-111-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-110-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-109-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-108-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-107-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-105-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-104-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-103-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-102-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-101-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-100-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-99-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-98-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-97-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-95-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-94-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-92-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-91-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-89-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-88-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-86-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-85-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-83-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-82-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-80-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-79-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-77-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-76-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-75-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-74-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-73-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-72-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-71-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-70-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-69-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-68-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-67-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-64-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-63-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-62-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-61-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-106-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-60-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-96-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-93-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-90-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-59-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-87-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-84-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-81-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-78-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-66-0x00000000029F0000-0x0000000002AA8000-memory.dmp

Filesize
736KB

Download
memory/4100-185-0x0000000002680000-0x00000000026E2000-memory.dmp

Filesize
392KB

Download
memory/4100-187-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download