11bbd91895f88edda6eca9e93ec38cb3823ed45f5293e4b625c68baff5e2d0eb

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
Size

263KB
MD5

64e9dc7ad320b4b7c60efa5159c2970f
SHA1

bc19291ad6eaaebb4f889b34fe88f2077d6e8f55
SHA256

11bbd91895f88edda6eca9e93ec38cb3823ed45f5293e4b625c68baff5e2d0eb
SHA512

4e2c62e82599fa8e1d72ce5c5f4fa8f1d8715fd8e7417f05dbdcb75149db7ff02900ba8c103db114a21a92e000ef7f7ba7a656de3c2b3af55fc4228ffd995448
SSDEEP

6144:/bV1mlxAN/u3wGn/c6PYuyJIc907ohkotjQX1kZrrnQ:/BMWVugGn/ftyd9UoCotjQmQ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\64E9DC~1.EXE,"	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64E9DC~1.EXE"	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3065329c = "G„‹{0éÜ¯;Ú½«>á›e³w8&ƒ~Ú\r„'@\x13ó“ª\x12n\x17w2š‡@o”>c—\x05ü4\u00a0Å1\x17mW>r\u00adÂí\nŸ\x14í\b>ìUÃQ²™(§,0\|áe®wOÝÁ¿¶ÿTÎÄ'!Ä/´×®\x1b/L¯D9oœ\v_æn\\\x17ãK¿ô\x13\x17qŸ\u008f/7\x1cÏ>ÿ7Ãžo–Ïœ”óO\x7fç§,Ö\x16v\x04\x11WW”<~S$Þ†fÇ¤ç/ì\x04,×,/~«ÿy¤^—)ŽÑ7ã¼ôœìoŒ<ãæ7™¼\x13”\x1fÏwÃf\u008fg\u008fÑÏÎdTÖG\f£Œ.çCÄß[ïùÄ—4æÌoL[Œ\x7f6û„‰Ôç¦T$7;»ï±¶\ag\x1c¼&sÇÿwìt–¤‡\x1734\|Aæ"	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64E9DC~1.EXE"	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
Token: SeSecurityPrivilege	2536	64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64e9dc7ad320b4b7c60efa5159c2970f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-0-0x0000000000370000-0x00000000003CA000-memory.dmp

Filesize
360KB

Download
memory/2536-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-11-0x0000000002160000-0x0000000002212000-memory.dmp

Filesize
712KB

Download
memory/2536-9-0x0000000002160000-0x0000000002212000-memory.dmp

Filesize
712KB

Download
memory/2536-7-0x0000000002160000-0x0000000002212000-memory.dmp

Filesize
712KB

Download
memory/2536-3-0x0000000002160000-0x0000000002212000-memory.dmp

Filesize
712KB

Download
memory/2536-5-0x0000000002160000-0x0000000002212000-memory.dmp

Filesize
712KB

Download
memory/2536-13-0x0000000002160000-0x0000000002212000-memory.dmp

Filesize
712KB

Download
memory/2536-14-0x0000000000400000-0x0000000000680000-memory.dmp

Filesize
2.5MB

Download
memory/2536-19-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-17-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-15-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-46-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-45-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-44-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-43-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-40-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-42-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-41-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-47-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-48-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-67-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-49-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-80-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-50-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-51-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-86-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-85-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-84-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-83-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-82-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-81-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-79-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-78-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-77-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-76-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-75-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-74-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-73-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-72-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-71-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-70-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-69-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-68-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-66-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-65-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-64-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-63-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-62-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-61-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-60-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-59-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-58-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-57-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-56-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-55-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-54-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-53-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-52-0x0000000002740000-0x00000000027F8000-memory.dmp

Filesize
736KB

Download
memory/2536-168-0x0000000000370000-0x00000000003CA000-memory.dmp

Filesize
360KB

Download
memory/2536-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download