c411d12d2dd765a675768d0019b9be6370ea6b8314b85b1d49b1518720ecfd29

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 08:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
Size

414KB
MD5

778158888bdfd6f74e2ebdb95807f237
SHA1

fce9a7d3fe1593671a21626f6785bc67007d59f8
SHA256

c411d12d2dd765a675768d0019b9be6370ea6b8314b85b1d49b1518720ecfd29
SHA512

3fb27b4efaf511ab56f8eacb6441fb67b48881dd56dec1025b8e16977b1ee06616e1b054cf501092a07e6b7c9781af450f0e6f8d822e2fe3915eec4a63e82c05
SSDEEP

6144:wARb+1YFc8CnFu73mBCR7NFrkcrreoSi7CL+PqL55NjeqE5:zb+1F8C+minkSrfSi+L/V5Nj

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\hG13201ObPdP13201\\hG13201ObPdP13201.exe"	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
2620	hG13201ObPdP13201.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	hG13201ObPdP13201.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-1-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2604-10-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2604-31-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2620-33-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral1/memory/2620-40-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\hG13201ObPdP13201 = "C:\\ProgramData\\hG13201ObPdP13201\\hG13201ObPdP13201.exe"	hG13201ObPdP13201.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hG13201ObPdP13201.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
Token: SeDebugPrivilege	2620	hG13201ObPdP13201.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2620	2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2620	2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2620	2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2620	2604	778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\ProgramData\hG13201ObPdP13201\hG13201ObPdP13201.exe
  "C:\ProgramData\hG13201ObPdP13201\hG13201ObPdP13201.exe" "C:\Users\Admin\AppData\Local\Temp\778158888bdfd6f74e2ebdb95807f237_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hG13201ObPdP13201\hG13201ObPdP13201

Filesize
208B

MD5
039fc6040652a8eadb5ab5ebb09f3315

SHA1
4178e9a0a40afae6bc56cb990377215a479a12d4

SHA256
4782c62cf4409c3dc0b1bc2921432c9cb077a0aa5b0b6cc91c0b4d7f77f12510

SHA512
9868c66d145bae2a81517bfba3ed86e820a75e8746e499b4de9a82e53a9958b5b5e7ecb3eb585882b6b8a0de8d52e9453076324688229b71134d2d7f2e756371

Download Submit
\ProgramData\hG13201ObPdP13201\hG13201ObPdP13201.exe

Filesize
414KB

MD5
ccd016d2da57c702ea435b8dce10fbe0

SHA1
439d3ca7ed5aa8264e584fa1b5e5e4379eac651d

SHA256
ff12ef9719233fc633190be5bd907f66abc75af0dfe8cef71a36c428d418e5e4

SHA512
c360ae984bcb1a55ac4795e05c7cafb632846b0c3f3b14fd021e172e1a7d9cfd4dd94c710b829888e167c6194df1512f27c3bf3819bdb71426dc0607321a0c3d

Download Submit
memory/2604-0-0x0000000000270000-0x0000000000273000-memory.dmp

Filesize
12KB

Download
memory/2604-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2604-10-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2604-31-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2620-32-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2620-33-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2620-40-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download