89b10d887f577a3df59dd562c1bc523f159e4ec1cec6c21b17adfdcc6e47f4f9

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
Size

250KB
MD5

66564f9b68d540541d71e439b8ffeb8e
SHA1

9b2464f37dfd430bfe9e9e49bafe7a8205e002d6
SHA256

89b10d887f577a3df59dd562c1bc523f159e4ec1cec6c21b17adfdcc6e47f4f9
SHA512

e15ef5e1e935d5fcdbf1d7fbcc7c7c3fae357c1ffe2e8409e63538523eb684c25694fdfa96bc7a6927bc4c80b82651e4a8b7b56b44f5fed548e7fc4c372c4cbd
SSDEEP

6144:/cjlsubtn6BV+/1PSSggDhBkLq2pjMoyYKRKESBv:EiuZ6Bq1aMWqBTSV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\66564F~1.EXE,"	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66564F~1.EXE"	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ae3498df = "ç€I™JzˆêuK¾ÿ\x1dŠ&\x13™\u0081!¨%(©ý"	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\66564F~1.EXE"	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2036	66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66564f9b68d540541d71e439b8ffeb8e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-0-0x000000007EF40000-0x000000007EFA7000-memory.dmp

Filesize
412KB

Download
memory/2036-1-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2036-3-0x0000000001F20000-0x0000000001FD2000-memory.dmp

Filesize
712KB

Download
memory/2036-13-0x0000000001F20000-0x0000000001FD2000-memory.dmp

Filesize
712KB

Download
memory/2036-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2036-11-0x0000000001F20000-0x0000000001FD2000-memory.dmp

Filesize
712KB

Download
memory/2036-9-0x0000000001F20000-0x0000000001FD2000-memory.dmp

Filesize
712KB

Download
memory/2036-7-0x0000000001F20000-0x0000000001FD2000-memory.dmp

Filesize
712KB

Download
memory/2036-5-0x0000000001F20000-0x0000000001FD2000-memory.dmp

Filesize
712KB

Download
memory/2036-15-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-21-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2036-19-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-17-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-41-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-40-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-49-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-42-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-64-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-43-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-45-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-44-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-46-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-47-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-66-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-65-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-63-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-62-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-61-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-60-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-59-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-58-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-57-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-56-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-55-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-54-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-53-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-52-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-51-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-50-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-48-0x0000000002520000-0x00000000025D8000-memory.dmp

Filesize
736KB

Download
memory/2036-168-0x000000007EF40000-0x000000007EFA7000-memory.dmp

Filesize
412KB

Download
memory/2036-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download