0768c8a7de1114a2f2a87f4ac82f2bf5ff635b0836f252db3e4e742daaa6995d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
Size

263KB
MD5

da3b94ac9e6dbdbb88c84819a33fc680
SHA1

92d611fd217babc9d14831ca637128ba9d177ef9
SHA256

0768c8a7de1114a2f2a87f4ac82f2bf5ff635b0836f252db3e4e742daaa6995d
SHA512

acfceab04ae76d14d319d0ce1a989bf6f4f4bc166bf9eb22b5ed538b578602bb53ab701f3a5da55273d3089e613c5a7ae045dabf19ea8f28a974507e1fccd4ba
SSDEEP

6144:hHw5ZGVhkfpf5w1ihCAEaHTsWGLPN9jOsa0uxii:hGZykBfe1iIAlHIbPjbuxz

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DA3B94~1.EXE,"	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DA3B94~1.EXE"	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3290a657 = "@™¯þxFi0\x0f\x02—Î\f…o’\x03s\a\n¯ò\x17\a\x1aðªï/÷6¦ã!ÇúX\x0fBQ\x1c¨\x12–\x1d4‰ÇÁ\u008f›k {\x17‹â\n’¸ˆEè\x05›û\x14ñR…5\n0¢ð\x10Hòb\x03¥Ž\vÆpÃ#\x13S£“K›££e»eK³ó"	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DA3B94~1.EXE"	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
4628	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4628	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
Token: SeSecurityPrivilege	4628	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
Token: SeSecurityPrivilege	4628	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
Token: SeSecurityPrivilege	4628	da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da3b94ac9e6dbdbb88c84819a33fc680_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7A52.tmp

Filesize
2B

MD5
715900fdef28ea37f92ab726f39177df

SHA1
1d7a6e4b74e7aa24d2cd4a101baf22406530bf53

SHA256
dba4a40f11ec80d728a1341730bdf0b50b82c2f47e6af8a1c4137eb631d25065

SHA512
c60f6a3403be561ab33c2ad1c150c3d6e48754a0167899d1b994ecc0e33abfe11cd09cf20098dc84f0a21f7b61242e423e968b97defc627347fd784bee9136c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A53.tmp

Filesize
11KB

MD5
95bc488965ac58ee4de695734faefd40

SHA1
37a944adade721a8c1d64538d4700a703f64c75d

SHA256
d17a861ffdf3b5b995bc4881fcbd4a46b1679068eb6cd9ac49c27571081c61d3

SHA512
ad551cb67e0d92f203fe46dda8dbb764f9778a10509d6641fcd6b4d1ba2cf39462a464b3c048e88d7318d39a89ee1068ed7af87525cc9efae7e16e1f498a8ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C954.tmp

Filesize
715B

MD5
587be65a5dd511a9c7cf5c53a0dde1df

SHA1
47bf97e955842990ef23b199d9c448886af30d15

SHA256
4f149c2ac62924f2999c207ec8a05337aafd43cccbddaf1c75dfb00d09a341fa

SHA512
10828a505bef5081749a1709063a43e02dbd1a5e6b71c7577914d65993632d82741bcc90f17db919fa3a52ca5b543b5783b8842a2e40c534dda1ca0ab1665873

Download Submit
memory/4628-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4628-1-0x00000000022C0000-0x0000000002329000-memory.dmp

Filesize
420KB

Download
memory/4628-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4628-3-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4628-4-0x00000000023A0000-0x000000000245F000-memory.dmp

Filesize
764KB

Download
memory/4628-5-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4628-6-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-11-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-10-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-8-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-111-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-164-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-163-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-162-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-161-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-160-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-159-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-158-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-157-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-156-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-154-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-153-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-152-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-151-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-150-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-149-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-148-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-147-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-146-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-144-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-143-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-141-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-140-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-137-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-138-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-136-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-135-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-134-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-133-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-132-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-130-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-129-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-128-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-127-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-125-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-124-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-123-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-122-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-121-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-120-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-119-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-118-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-117-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-116-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-115-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-114-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-113-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-110-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-155-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-145-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-142-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-139-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-131-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-126-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-112-0x0000000002A40000-0x0000000002B06000-memory.dmp

Filesize
792KB

Download
memory/4628-196-0x00000000022C0000-0x0000000002329000-memory.dmp

Filesize
420KB

Download
memory/4628-198-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download