32d6a89a4e7bcc0d910958d78047e00a88b90fad47bac37479ef87b9f019ced9

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe
Size

61KB
MD5

642d469d2004e106b0c1f35a62462ece
SHA1

09b233f1a5a943863bdc50976d82d77b4a9abafb
SHA256

32d6a89a4e7bcc0d910958d78047e00a88b90fad47bac37479ef87b9f019ced9
SHA512

e917baf94d33d5db333e06f19186c6e15069dd0334a4e6d14460199fa7bd4a95d359098390e225624e1d47ecdb90eb758ff7380a2a946ddc0b7c59cd5ea8683b
SSDEEP

1536:kZG1+SDCzLRYhvpipShflOz0VSHIDCeYDbb+UuoNcOwxEuQgA7K6v:1+UlqoDcbYoqRsJ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\msconfig.exe"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe
2520	explorer.exe
1204	Explorer.EXE
2548	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe
2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe
2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE
2208	ctfmon.exe
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	svchost.exe
2548	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2384	1452	642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2520	2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe	31
PID 2384 wrote to memory of 2520	2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe	31
PID 2384 wrote to memory of 2520	2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe	31
PID 2384 wrote to memory of 2520	2384	642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe	31
PID 2520 wrote to memory of 1204	2520	explorer.exe	21
PID 1204 wrote to memory of 2548	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2548	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2548	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2548	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2548	1204	Explorer.EXE	32
PID 2548 wrote to memory of 2208	2548	svchost.exe	33
PID 2548 wrote to memory of 2208	2548	svchost.exe	33
PID 2548 wrote to memory of 2208	2548	svchost.exe	33
PID 2548 wrote to memory of 2208	2548	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\642d469d2004e106b0c1f35a62462ece_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1452
- - \??\c:\users\admin\appdata\local\temp\642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe
    "c:\users\admin\appdata\local\temp\642d469d2004e106b0c1f35a62462ece_jaffacakes118.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2520
- C:\Windows\syswow64\svchost.exe
  "C:\Windows\syswow64\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\ctfmon.exe
    ctfmon.exe
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-17-0x0000000002D70000-0x0000000002D79000-memory.dmp

Filesize
36KB

Download
memory/2384-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-5-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2384-10-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2520-22-0x00000000FF1B0000-0x00000000FF470000-memory.dmp

Filesize
2.8MB

Download
memory/2520-21-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2520-53-0x00000000FF1B0000-0x00000000FF470000-memory.dmp

Filesize
2.8MB

Download
memory/2548-23-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2548-26-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2548-29-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download