6ce9422b832068b7efe3caf5d155815d2423a41dc0f8f6a8df8b3193583e3080

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b290b705882849a01b868d2a5026478c_JaffaCakes118.exe
Size

27KB
MD5

b290b705882849a01b868d2a5026478c
SHA1

69137ce7823cf0267d302638a29d216e1c7512a0
SHA256

6ce9422b832068b7efe3caf5d155815d2423a41dc0f8f6a8df8b3193583e3080
SHA512

148fdeab3e16b3ca627c0dabe09e1880d7be2bf4b9b758a49d5120262a280b382aa8d6c08ad37c95e6f112a25a28122b6ceb745975bcea29072354059fb38755
SSDEEP

768:wzFI2QjWQ3zwO+L0mNvjaRziDG/jDQjjmWTe+Hc9WstYQ:GoaAv+L0mNvjaRziDG/jDQjjmW9Hc9hL

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	winlogon.exe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon System = "C:\\Users\\Admin\\AppData\\Roaming\\app\\winlogon.exe.exe"	b290b705882849a01b868d2a5026478c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon System = "C:\\Users\\Admin\\AppData\\Roaming\\app\\winlogon.exe.exe"	winlogon.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	b290b705882849a01b868d2a5026478c_JaffaCakes118.exe
Token: SeDebugPrivilege	3020	winlogon.exe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 3020	2496	b290b705882849a01b868d2a5026478c_JaffaCakes118.exe	30
PID 2496 wrote to memory of 3020	2496	b290b705882849a01b868d2a5026478c_JaffaCakes118.exe	30
PID 2496 wrote to memory of 3020	2496	b290b705882849a01b868d2a5026478c_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\b290b705882849a01b868d2a5026478c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b290b705882849a01b868d2a5026478c_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Roaming\app\winlogon.exe.exe
  "C:\Users\Admin\AppData\Roaming\app\winlogon.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app\winlogon.exe.exe

Filesize
27KB

MD5
b290b705882849a01b868d2a5026478c

SHA1
69137ce7823cf0267d302638a29d216e1c7512a0

SHA256
6ce9422b832068b7efe3caf5d155815d2423a41dc0f8f6a8df8b3193583e3080

SHA512
148fdeab3e16b3ca627c0dabe09e1880d7be2bf4b9b758a49d5120262a280b382aa8d6c08ad37c95e6f112a25a28122b6ceb745975bcea29072354059fb38755

Download Submit
memory/2496-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/2496-1-0x0000000001150000-0x000000000115E000-memory.dmp

Filesize
56KB

Download
memory/3020-7-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/3020-9-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-10-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-13-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-15-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads