1944682778ef09288679e6ea8fd524fa0431a8e79885479b34e9be765a7e6785

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe
Size

320KB
MD5

a551302840d37f607b3b92cf0623445f
SHA1

510bab5e97a1d152d606e146b6b322ec2bb9aca6
SHA256

1944682778ef09288679e6ea8fd524fa0431a8e79885479b34e9be765a7e6785
SHA512

59c8b740dd38d81675205faf01be2ace9f1dcfafce5e8d2a4abd58ae59dbc9c457415be37e90c73f415ddce1f5ed8fd355f44e4f50dbe38cb3c8ba2d4b670dd1
SSDEEP

6144:rqr+TK+FUJ9M/Yu4FmrTMaQwCBKrJ/zhwPVj9YPwnv/3Onzc:rg+3hgu4kXMaIiJ/Vwdj2KvfOzc

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Arquivos de programas\\djfYuUP5.exe"	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\MSFS	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\MAPI	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents\IMAIL	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\OptionalComponents	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\winlogn.ini	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a551302840d37f607b3b92cf0623445f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-0-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2200-2-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-4-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-5-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-6-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-7-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-8-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-9-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-10-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-11-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-12-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-13-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-14-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2200-15-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads