Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
25-07-2024 23:00
General
-
Target
71999a8d62e79b89ff7a0c2df8fe9fd9_JaffaCakes118.exe
-
Size
395KB
-
MD5
71999a8d62e79b89ff7a0c2df8fe9fd9
-
SHA1
fd91edaf9f4d280f06a017b33d00bd5dc359ee45
-
SHA256
67c5cf4ef1f40ebb9e3d0d7406306e1f25227b8e4e014ec7573edb5d85df0fb4
-
SHA512
e0ff5100fa1787b8c7194a1e2ab0140ff6cc806bfc241e8b977ed1cb4a2bb3ad2567588cb7e4d0431e08908e3028a9fa9bda7ea138cca30631e4780098fb267a
-
SSDEEP
12288:YYT96JJ558EHwiQLykataz+wZT0Msxyj/LErqOUW9BH:1IJJ558EHwiQLykataz+wZT0Msxyj/L
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Modifies WinLogon 2 TTPs 4 IoCs
-
Drops file in System32 directory 25 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 32 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 11 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71999a8d62e79b89ff7a0c2df8fe9fd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\71999a8d62e79b89ff7a0c2df8fe9fd9_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Debug\debug_71999a8d62e79b89ff7a0c2df8fe9fd9_JaffaCakes118.pluC:\Windows\Debug\debug_71999a8d62e79b89ff7a0c2df8fe9fd9_JaffaCakes118.plu2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5f2c7bb8acc97f92e987a2d4087d021b1
SHA17eb0139d2175739b3ccb0d1110067820be6abd29
SHA256142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA5122f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8
-
Filesize
175KB
MD5d378bffb70923139d6a4f546864aa61c
SHA1f00aa51c2ed8b2f656318fdc01ee1cf5441011a4
SHA256c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102
SHA5127c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663
-
Filesize
161KB
MD5a80c173ac5c75706bb74ae4d78f2a53d
SHA1ac4440d2d6844b624abd095fc9ece4409c2031c3
SHA256a9bb4b452729f8b231892b41a796fb936a01c3b4af4365977f27f0d8524b3cbd
SHA51234d12db3193b8cefba60f64a58ef38803d96078a4ad00ad6baa1baf4fedb3183d1a7f9e2a94bd81c7efdf3012d8ee6d296bfcffb62aad6e7ebce0d6bb40672a5
-
Filesize
222KB
MD5545bf7eaa24a9e062857d0742ec0b28a
SHA1d748d5b325e5dd4fadeb837a59f61e55d2636d31
SHA25650f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf
SHA512b132a23f443a75deb7bd10415efb871524b63860b2eb30a198dea2f7e67a1fa3bcdc5344dc98f306c8b93452329d6422d5264c1d64a403abeaf7db1662980f1a
-
Filesize
6.1MB
MD5e97295de2a9fde547feab4fe41df16ca
SHA1de87c513e32b4b72edd990b93c8854205f634771
SHA2560ed49ca80d2a71a7be4905a8a1042f25b0bd4f87da9c63dd8bb4949e18b51cf6
SHA512fff1606b11932818fdb84b1706cdc7a87a7e339a172033525d695337a6bef8a8f6c4ed1648df51a9307e3c4d39b578f5a24cd56f60f10e07a91dad7bdd0c089d
-
Filesize
389KB
MD58a4883f5e7ac37444f23279239553878
SHA1682214961228453c389854e81e6786df92bbfa67
SHA256f318c94a46dbca88eefc3e28be51d27e5f91029dc062f56faaa995f0b5f8e518
SHA5127f51e5278aaa5babfa8eb48fc414bf985775b39e1a94b84faffd995e82781dec87c54945edc6ae7570810c646f9f50256713d96ee7c4197a82a30e51145baa4a
-
Filesize
228KB
MD5cfce4eff1d6d909ee2ea3afcb8f1e677
SHA1f90a3a8faf91aad5beec1a363e1f90a91adc9b9b
SHA25689dbb821bacaac09ac072dfae87db8207c696a545aa2dafa387bfc1d81b54d11
SHA512c982c9bb9e40b928f9ee1f7efd8bdba2e66bc58193b297d5560946cc2a2d546cb64f29a3edc587808a05bbfa4ad745a9b9ed6fd5efa4e39ca3b678a565d7b38b
-
Filesize
13.3MB
MD587232c8139f1cd82a2c3e39070d30b52
SHA113e2beede1ab86a3a12277893570c320e375d191
SHA2568b8ad6ac7501d2c82eca1197c0310fa306b05d313d1b75c1020bc2b2965272c9
SHA512e0032aa0182b66e3edbb7b76dd9411a6839e10cd3749337449dedd706ec8ff387042349fbe56c9d4b76a1aa095d750b6bd5e4a180ba7c70c144bf0fe697846f0
-
Filesize
1.4MB
MD515e52f52ed2b8ed122fae897119687c4
SHA16e35ae1d5b6f192109d7a752acd939f5ca2b97a6
SHA2568cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736
SHA512338c12af5af509c19932619007ab058e0e97b65fe32609f14d29f6cc7818814dbdbb8613f81146a10a78197b3f6fbc435fab9fe1537d1eb83c30b9f4487b6aea
-
Filesize
19.8MB
MD5a53cc4c0fa7da7cdc8dddf4a0e6123f9
SHA109aeb141350d8d3ca91ac4cf902af9d6b2de3bf9
SHA256ead4783058efc1fca6e92266cca02ae8ab79105405775208167d280c14d98914
SHA51232a383f768d90c1eb5ffb8fffe6810ad90d76e6c65716819d4296344b31a3858db528eebc40d0561ae2be9d5f14533ecd44a0a783164b6b57e2588788209f665
-
Filesize
63KB
MD59ac7947440b292df56b33960f43c720e
SHA1a9de002d125bebfb94557977aa469368da4f1716
SHA25641733e46ce481dbe454ee81f9307c5fd63f594c76272d1076a5285438eb66516
SHA512295ede2614d2eb0cb00047a79e186e13b9c64fdcfb2be29f7436bcf8fb09fcae8813f65a10a587b6cfacbe6b3e96954ea10427597f253f324eb79775ef668c60
-
Filesize
332KB
MD519d7285c744fe18326a665aa33eaba35
SHA148366a0ee4a3fbae86771a22a350941655190fcc
SHA256addb4e33a11d70f4add9744c95ee96f52b107ccd0f78b820e0e5d7fce95f2167
SHA512cafcf7b960d2b6e8a3b8915074f1a88334d396b9c8d0510fa2960635c38137dd2b0635c9d47c71968cea69e6744f4630b3f2b116f432ab53e9be949bc621836e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB