c278b9ca24326c4d6a5363ee92564db9a65fa20caabefe36ca8c46fd189d3432

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Size

268KB
MD5

a17cfde16c5e05462bc88ee302ff863e
SHA1

810abe7d72cdf52a37f2b355f51d517e56541473
SHA256

c278b9ca24326c4d6a5363ee92564db9a65fa20caabefe36ca8c46fd189d3432
SHA512

c721fd75f31fbff3f3c300e510b29866de086497a810395811521f27e09c8f0a75d9916e9f8638fa0bf38e70815425082f948a90738460b068667f028e7f562d
SSDEEP

6144:4I1v9PfKoXjllMoVpfZLijwDAhtCx6o3yG4/xFk:44vFfVzv2qZitZFk

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\A17CFD~1.EXE,"	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A17CFD~1.EXE"	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ac8a13e9 = "Îä’ëRdcie˜%cÏ(Å»n~õ»¥‹]¡Á);ŠµýÄÏöÞt#\u00adž\x7fÿÇÏd‘·s†\u008f\"„[”!®ÝswîºÜ\x1bÀ9d©@áÐ\u00a0\|—:y«!#)¿¬\x15Uèšoeví2\x16ŠJR\"¢Âé¥‘:Šñ»\u009d\x05ŠrÉ£ú¢v+ÊFÃþ\x06‰³Zù2jrABCK\x11®Zæ«s>ÊÕ6zžŽ\x02«îBºFfBËnåö::²¶\x12¢E>ªÅºÛ\x11–¦BÓá¦\u009dN\u008d\n1\x1d:Á‘ÊÝÖRâr+î{ò\x01ºÒ{¥\x02õZ\x03æ\x02™M+m52ÂuºÓ‚Š*ÑãÊ¢^bnúJBå³Ö\x19Î’\x02\x03\x02Šþ\x06ú\u009dšâ¡{Ê¦\x06\u009dr––Ò¦\x19R¹Š"	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A17CFD~1.EXE"	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2392	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
2392	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2392	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2392	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2392	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2392	a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a17cfde16c5e05462bc88ee302ff863e_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9233.tmp

Filesize
2B

MD5
715900fdef28ea37f92ab726f39177df

SHA1
1d7a6e4b74e7aa24d2cd4a101baf22406530bf53

SHA256
dba4a40f11ec80d728a1341730bdf0b50b82c2f47e6af8a1c4137eb631d25065

SHA512
c60f6a3403be561ab33c2ad1c150c3d6e48754a0167899d1b994ecc0e33abfe11cd09cf20098dc84f0a21f7b61242e423e968b97defc627347fd784bee9136c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9256.tmp

Filesize
11KB

MD5
95bc488965ac58ee4de695734faefd40

SHA1
37a944adade721a8c1d64538d4700a703f64c75d

SHA256
d17a861ffdf3b5b995bc4881fcbd4a46b1679068eb6cd9ac49c27571081c61d3

SHA512
ad551cb67e0d92f203fe46dda8dbb764f9778a10509d6641fcd6b4d1ba2cf39462a464b3c048e88d7318d39a89ee1068ed7af87525cc9efae7e16e1f498a8ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\939D.tmp

Filesize
715B

MD5
587be65a5dd511a9c7cf5c53a0dde1df

SHA1
47bf97e955842990ef23b199d9c448886af30d15

SHA256
4f149c2ac62924f2999c207ec8a05337aafd43cccbddaf1c75dfb00d09a341fa

SHA512
10828a505bef5081749a1709063a43e02dbd1a5e6b71c7577914d65993632d82741bcc90f17db919fa3a52ca5b543b5783b8842a2e40c534dda1ca0ab1665873

Download Submit
memory/2392-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2392-1-0x0000000000470000-0x00000000004D9000-memory.dmp

Filesize
420KB

Download
memory/2392-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2392-12-0x0000000002360000-0x000000000241F000-memory.dmp

Filesize
764KB

Download
memory/2392-14-0x0000000002360000-0x000000000241F000-memory.dmp

Filesize
764KB

Download
memory/2392-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2392-10-0x0000000002360000-0x000000000241F000-memory.dmp

Filesize
764KB

Download
memory/2392-8-0x0000000002360000-0x000000000241F000-memory.dmp

Filesize
764KB

Download
memory/2392-4-0x0000000002360000-0x000000000241F000-memory.dmp

Filesize
764KB

Download
memory/2392-6-0x0000000002360000-0x000000000241F000-memory.dmp

Filesize
764KB

Download
memory/2392-16-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-21-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-20-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-18-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-54-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-55-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-56-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-57-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-58-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-59-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-60-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-61-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-62-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-63-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-64-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-65-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-66-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-74-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-73-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-72-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-71-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-70-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-69-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-68-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-67-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-75-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-99-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-98-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-97-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-96-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-95-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-94-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-93-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-92-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-91-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-90-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-89-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-88-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-87-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-86-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-85-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-84-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-83-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-82-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-81-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-80-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-79-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-78-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-77-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-76-0x0000000002590000-0x0000000002656000-memory.dmp

Filesize
792KB

Download
memory/2392-203-0x0000000000470000-0x00000000004D9000-memory.dmp

Filesize
420KB

Download
memory/2392-204-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download