71e4c7e65494470f13c9abe7d722584fcc6c9480637d76bbef0d65f3059c9e24

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
Size

28KB
MD5

ee83e943c3fdc8891002e9f911600e92
SHA1

aafb614c834192395a19d9563c9f2b4d5a51deac
SHA256

71e4c7e65494470f13c9abe7d722584fcc6c9480637d76bbef0d65f3059c9e24
SHA512

d0358103cd84ff1fcd6d804a8f336f35bd1555e0835b82ab5ed8a9c2fee30846c23a02a97135b9978ff6e34fbc5f5e71e99f30e8cf4da3c470aca00bf0c73c95
SSDEEP

192:2MN21a9pS7na9SVSi2dNA4YL8fzh1zZoRQyJATDzk+9zHJ/uSrApwdP1oyn/AiOy:2WJ87n2FNOuV7I+DugApwJ1RAijK4Tq

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exeC:\\Windows\\SOUNIMFN.EXE"	SOUNIMFN.EXE

Deletes itself 1 IoCs

pid	Process
2196	SOUNIMFN.EXE

Executes dropped EXE 1 IoCs

pid	Process
2196	SOUNIMFN.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SOUNIMFN.EXE	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
File opened for modification	C:\Windows\SOUNIMFN.EXE	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOUNIMFN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
2196	SOUNIMFN.EXE
2196	SOUNIMFN.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30
PID 328 wrote to memory of 2196	328	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SOUNIMFN.EXE
  "C:\Windows\SOUNIMFN.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChongTxt

Filesize
84B

MD5
a52f3dabeedcae0321ea7e214b46b733

SHA1
994094de5d30bff3345ff7846b7cd62fcf6b28b2

SHA256
71cf5f284912e6cb36bb5c5c5b3a0d2237749ab48d67aff76a7b0761a889619c

SHA512
569418d43533dd1a587457fad88b3cfd89e7899954dffdf5b5cbc655018215daf62649c87e3abb118522633a991b759bc4e92d29050408a8331271b04707cd1f

Download Submit
C:\Windows\SOUNIMFN.EXE

Filesize
36.0MB

MD5
40d9bb2fc86d950bfd2db50ec8230623

SHA1
322a6d496019b6dc706e20a3b5cb32e9898cfddd

SHA256
b0091fe3fc8c7e62a9a832dff9804bb655b08bda717f2fecfd470eeee3257a3a

SHA512
25ad1661f10a6cc877e0fdea28926999d26608a6fba2173fbddf9611c1ff31f42aa333ba55cedeba64e97f2f46683d61535f7ebc56b9dc8d96dd0307009acd8e

Download Submit