16894eca45bdf36a711882951fd5003c9475b47a2b8688e75e508a34d9248b0f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 00:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe
Size

92KB
MD5

111342d3c3b1d863fdbe84f527a676e0
SHA1

38655e9e9854c399e31c92831f199a759eb9c708
SHA256

16894eca45bdf36a711882951fd5003c9475b47a2b8688e75e508a34d9248b0f
SHA512

543cd25109bb8b9d1b153c909545eefa688ec14fd45155a5cbeaf9e497e3b20e865a62cf6182c19c52022f31063e3027517f703cdf81c9ba484cca9a9580d516
SSDEEP

1536:hi9WK6h+Bh1Bzb+cyCSFzvGRxZFSecHek8cqvY9B/xKPkdWOfGgC:yWKP+cyCXjFVAezFxeWOut

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\skype.dat"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1928	111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe
2344	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1928	111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe
1928	111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111342d3c3b1d863fdbe84f527a676e0_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:1928

C:\Windows\syswow64\svchost.exe
"C:\Windows\syswow64\svchost.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-6-0x0000000076EE0000-0x0000000077089000-memory.dmp

Filesize
1.7MB

Download
memory/1232-7-0x0000000002480000-0x0000000002487000-memory.dmp

Filesize
28KB

Download
memory/1928-0-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1928-2-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1928-3-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1928-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1928-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2344-8-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads