6c40d30a794d7adc90b816989cb971cb649eed9a386650486f6764aab47c2e4a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe
Size

43KB
MD5

621686ec1e73d054c8abf12f951a5a72
SHA1

abb10b5ed51702c9196170d41a381565482f5b69
SHA256

6c40d30a794d7adc90b816989cb971cb649eed9a386650486f6764aab47c2e4a
SHA512

33c8437ed3d54a1e19f3a1c09d9bedca1b82561e0d83cf6c789b163379bd4e25d25ded87e7ce4729e122c40f5ef3bd84cf0653ab55541c4cf0d3e677aabe4afa
SSDEEP

768:rxSW7w80nKy3uqn/3/AeCK9deInmeEsx20rznLD5SwXpAVOU3ryivYuja2OaMB+u:NHc8CKy5/YeZfeCmeEsx203LDnXlU3rK

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\ntos.exe,"	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ntos.exe	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntos.exe	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe
4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe
4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe
4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5
PID 4812 wrote to memory of 612	4812	621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe	5

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\621686ec1e73d054c8abf12f951a5a72_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-41-0x00000000364B0000-0x00000000364D2000-memory.dmp

Filesize
136KB

Download
memory/612-76-0x0000000036660000-0x0000000036682000-memory.dmp

Filesize
136KB

Download
memory/612-84-0x00000000366C0000-0x00000000366E2000-memory.dmp

Filesize
136KB

Download
memory/612-80-0x0000000036690000-0x00000000366B2000-memory.dmp

Filesize
136KB

Download
memory/612-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/612-13-0x0000000036360000-0x0000000036382000-memory.dmp

Filesize
136KB

Download
memory/612-17-0x0000000036390000-0x00000000363B2000-memory.dmp

Filesize
136KB

Download
memory/612-20-0x00000000363C0000-0x00000000363E2000-memory.dmp

Filesize
136KB

Download
memory/612-26-0x00000000363F0000-0x0000000036412000-memory.dmp

Filesize
136KB

Download
memory/612-28-0x0000000036420000-0x0000000036442000-memory.dmp

Filesize
136KB

Download
memory/612-32-0x0000000036450000-0x0000000036472000-memory.dmp

Filesize
136KB

Download
memory/612-37-0x0000000036480000-0x00000000364A2000-memory.dmp

Filesize
136KB

Download
memory/612-40-0x00000000364B0000-0x00000000364D2000-memory.dmp

Filesize
136KB

Download
memory/612-72-0x0000000036630000-0x0000000036652000-memory.dmp

Filesize
136KB

Download
memory/612-62-0x00000000365A0000-0x00000000365C2000-memory.dmp

Filesize
136KB

Download
memory/612-49-0x0000000036510000-0x0000000036532000-memory.dmp

Filesize
136KB

Download
memory/612-52-0x0000000036540000-0x0000000036562000-memory.dmp

Filesize
136KB

Download
memory/612-56-0x0000000036570000-0x0000000036592000-memory.dmp

Filesize
136KB

Download
memory/612-46-0x00000000364E0000-0x0000000036502000-memory.dmp

Filesize
136KB

Download
memory/612-64-0x00000000365D0000-0x00000000365F2000-memory.dmp

Filesize
136KB

Download
memory/612-69-0x0000000036600000-0x0000000036622000-memory.dmp

Filesize
136KB

Download
memory/4812-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4812-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4812-1-0x000000000040F000-0x0000000000411000-memory.dmp

Filesize
8KB

Download
memory/4812-2-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4812-3054-0x000000000040F000-0x0000000000411000-memory.dmp

Filesize
8KB

Download