Analysis
-
max time kernel
6s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 18:32
Static task
static1
Behavioral task
behavioral1
Sample
644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Errors
General
-
Target
644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe
-
Size
92KB
-
MD5
644fee6ca69279cb3539c510d81c4a19
-
SHA1
0e42d69549a8a82652b4585e4b93e75cfb22f3c8
-
SHA256
338e4b44d1f3c62340770e1dd87aa73b56ee54632a3a29a9f5d9564aff345706
-
SHA512
fd3567d314ac0bae25fde1ddf86cd8b99ce6c8dd5b9fa51d06e19eeee2d4ba18fd1587c3cee4893428ca7d85c6a6578b48275d5b107397accb32ed113b7e911a
-
SSDEEP
1536:+zKNKMLiIpGI1sLF4zSc9GFRHaKWWSb9a3AEhEacLfHwzGo:fiI31S0sFR6KWWSbohyacszGo
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\vzhkwef.dll 644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2912 644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\644fee6ca69279cb3539c510d81c4a19_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2716
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1992