Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 01:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe
-
Size
255KB
-
MD5
6236b568cf6cd3b17a4a73d88e44f251
-
SHA1
2df471e11ecd49e46431d9c0d9a893282a47a614
-
SHA256
ab1873fb1f64266e7adc3dcc1364058932a26e99707b7615f966d07799687c8f
-
SHA512
edc26d25a6426eed0977def4107c4608fcbc571e26f71531052da11beb7fa9711a58a4936c1e355f685cfb3fdbe89e9ef66a89cfad48f426cce88e338c5fe8e7
-
SSDEEP
6144:pWFLIoTvEFeRIedJ87Zn4k8q+Xj+F8IH7O/E:khT6eGmC4nz+F8IbO/
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\6236B5~1.EXE," 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6236B5~1.EXE" 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6236B5~1.EXE" 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\fabd59cc = "F_“Y—¡ÜW€Ei\rG3œ>Œ|,|u1“\x01©Óý<˜Ôdð9UÏ®L#[5·áw¾?Sl*ÎUyTÄõÖë\x1dU\u0081a\r\x18Úæi\u0081×væ–~á$…ß\u0090MÝ'ù2UßõÁä`ì¸õx|\rq…¸Àf·Õ$ùAìNç|äˆmh´Ø=…˜fè\x15ÞT˜‡¬ø´>ˆ”ÖÇ\\ˆ\x7f=\x164ôœ\b¸†¯xÀ\x1fÜ<‡/ìýƯÀ¹Ô™À,v,®0\x04!ðuì„׸¿ÍX¦\x15g\\¤nÈ&" 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe Token: SeSecurityPrivilege 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe Token: SeSecurityPrivilege 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe Token: SeSecurityPrivilege 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2852 6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6236b568cf6cd3b17a4a73d88e44f251_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2852