a2584b2183c2cef8a611a627d692768388b75b15a40d8eb2a4e06c25c27fbebe

Analysis

max time kernel
103s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
Size

64KB
MD5

f5989e56a1ac8f9c18d873341335753d
SHA1

90207f4d08e36272b20bb84051020679120a93d8
SHA256

a2584b2183c2cef8a611a627d692768388b75b15a40d8eb2a4e06c25c27fbebe
SHA512

18af61e4e668d454a97af3abfd49681b19b91f699e64fd12dc7fe9922a85eb51e8df101e9f1b4c6aa29911d0b2bef3ad5b830bd69652a731b7a3b1879f4321c1
SSDEEP

768:9sBgh1Hp6uJRHoFItGxq7/RWXwAdq+49CecmV5styjK72Ys4VicQ8JKTUKk:9sLg2RuJWDdq+49wm7CNqYs5OKk

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3032	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops autorun.inf file 1 TTPs 52 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\I:\autorun.inf	winlogon.exe
File created	\??\L:\autorun.inf	winlogon.exe
File created	\??\M:\autorun.inf	winlogon.exe
File opened for modification	\??\M:\autorun.inf	winlogon.exe
File opened for modification	\??\N:\autorun.inf	winlogon.exe
File opened for modification	\??\P:\autorun.inf	winlogon.exe
File created	\??\S:\autorun.inf	winlogon.exe
File created	\??\X:\autorun.inf	winlogon.exe
File opened for modification	\??\A:\autorun.inf	winlogon.exe
File opened for modification	C:\autorun.inf	winlogon.exe
File opened for modification	\??\L:\autorun.inf	winlogon.exe
File opened for modification	\??\Q:\autorun.inf	winlogon.exe
File opened for modification	\??\S:\autorun.inf	winlogon.exe
File opened for modification	\??\T:\autorun.inf	winlogon.exe
File opened for modification	\??\W:\autorun.inf	winlogon.exe
File opened for modification	\??\E:\autorun.inf	winlogon.exe
File opened for modification	F:\autorun.inf	winlogon.exe
File created	\??\J:\autorun.inf	winlogon.exe
File created	\??\Q:\autorun.inf	winlogon.exe
File created	\??\Z:\autorun.inf	winlogon.exe
File opened for modification	\??\Z:\autorun.inf	winlogon.exe
File created	\??\A:\autorun.inf	winlogon.exe
File opened for modification	\??\B:\autorun.inf	winlogon.exe
File created	D:\autorun.inf	winlogon.exe
File created	\??\O:\autorun.inf	winlogon.exe
File created	\??\R:\autorun.inf	winlogon.exe
File created	\??\U:\autorun.inf	winlogon.exe
File opened for modification	\??\Y:\autorun.inf	winlogon.exe
File created	F:\autorun.inf	winlogon.exe
File opened for modification	\??\K:\autorun.inf	winlogon.exe
File created	\??\N:\autorun.inf	winlogon.exe
File created	\??\K:\autorun.inf	winlogon.exe
File opened for modification	\??\R:\autorun.inf	winlogon.exe
File opened for modification	\??\V:\autorun.inf	winlogon.exe
File created	\??\Y:\autorun.inf	winlogon.exe
File created	\??\B:\autorun.inf	winlogon.exe
File opened for modification	D:\autorun.inf	winlogon.exe
File opened for modification	\??\I:\autorun.inf	winlogon.exe
File opened for modification	\??\J:\autorun.inf	winlogon.exe
File opened for modification	\??\O:\autorun.inf	winlogon.exe
File created	\??\W:\autorun.inf	winlogon.exe
File opened for modification	\??\X:\autorun.inf	winlogon.exe
File created	\??\G:\autorun.inf	winlogon.exe
File opened for modification	\??\G:\autorun.inf	winlogon.exe
File opened for modification	\??\H:\autorun.inf	winlogon.exe
File created	\??\P:\autorun.inf	winlogon.exe
File created	\??\T:\autorun.inf	winlogon.exe
File opened for modification	\??\U:\autorun.inf	winlogon.exe
File created	\??\V:\autorun.inf	winlogon.exe
File created	C:\autorun.inf	winlogon.exe
File created	\??\E:\autorun.inf	winlogon.exe
File created	\??\H:\autorun.inf	winlogon.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\cmd.gdi	winlogon.exe
File opened for modification	C:\Windows\cmd.gdi	winlogon.exe
File created	C:\Windows\winlogon.exe	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
File opened for modification	C:\Windows\winlogon.exe	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
File created	C:\Windows\winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe
3032	winlogon.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3032	1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe	30
PID 1972 wrote to memory of 3032	1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe	30
PID 1972 wrote to memory of 3032	1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe	30
PID 1972 wrote to memory of 3032	1972	f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5989e56a1ac8f9c18d873341335753d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\winlogon.exe
  "C:\Windows\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\cmd.gdi

Filesize
328B

MD5
2d3ca9ca2ba436ba9a0068e41c4fbaa9

SHA1
93c2fba0f13f9b85620d68cd488fcab5a57c9ad1

SHA256
39688676ac66b2af0deea2b19d05243742902b5bc55fcc8c081b084a9fc50b1f

SHA512
6a5d71493cd8bf1cc5cb2057fcaad1e7440109db544e3f76171a2da271b07b07763938593fcdf26552c1c85b1d56d89346f817f5db4acc7dcb95c9979d8579d6

Download Submit
C:\Windows\winlogon.exe

Filesize
64KB

MD5
f5989e56a1ac8f9c18d873341335753d

SHA1
90207f4d08e36272b20bb84051020679120a93d8

SHA256
a2584b2183c2cef8a611a627d692768388b75b15a40d8eb2a4e06c25c27fbebe

SHA512
18af61e4e668d454a97af3abfd49681b19b91f699e64fd12dc7fe9922a85eb51e8df101e9f1b4c6aa29911d0b2bef3ad5b830bd69652a731b7a3b1879f4321c1

Download Submit
memory/3032-13-0x0000000002810000-0x00000000032CA000-memory.dmp

Filesize
10.7MB

Download
memory/3032-5885-0x0000000004220000-0x0000000005282000-memory.dmp

Filesize
16.4MB

Download