8886cc1b9facb1d083fe81b8789352e62ddf98ff9217cf2d5d9ae9966f9c7dfe

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Size

485KB
MD5

13eb27e13093204ffed936e4f74fa4a0
SHA1

8c6a49265f59720917729072762be91a2039aaf0
SHA256

8886cc1b9facb1d083fe81b8789352e62ddf98ff9217cf2d5d9ae9966f9c7dfe
SHA512

79c5887bafcbed88fd01593d70c891acc5ff5740f7267c2c9c363d25c723ab14ce124d002ae59c3b7bf777f022243db315e388ab4b3c1019b845a970d7df1986
SSDEEP

12288:iroCc//////azg728wDtJOJ35ed+GU0ymlOEF+JXPBlkJ2EvmpC8+T:AoCc//////agkDtJwN0yNEFqXPBeT

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Kvmon.exe -ini"	wmnet.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	wmnet.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\ADPPath\RTHDCPL.exe	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Kvmon.exe	wmnet.exe
File opened for modification	C:\Windows\Kvmon.exe	wmnet.exe
File created	C:\Windows\Kvmon.dll	wmnet.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2792	wmnet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2144	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2144	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2580	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2580	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2580	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2580	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	30
PID 2604 wrote to memory of 2108	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2108	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2108	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2108	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	31
PID 2604 wrote to memory of 2028	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2028	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2028	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2028	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	35
PID 2604 wrote to memory of 2348	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	36
PID 2604 wrote to memory of 2348	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	36
PID 2604 wrote to memory of 2348	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	36
PID 2604 wrote to memory of 2348	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	36
PID 2604 wrote to memory of 544	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	37
PID 2604 wrote to memory of 544	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	37
PID 2604 wrote to memory of 544	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	37
PID 2604 wrote to memory of 544	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	37
PID 2108 wrote to memory of 2816	2108	net.exe	41
PID 2108 wrote to memory of 2816	2108	net.exe	41
PID 2108 wrote to memory of 2816	2108	net.exe	41
PID 2108 wrote to memory of 2816	2108	net.exe	41
PID 2348 wrote to memory of 2472	2348	net.exe	43
PID 2348 wrote to memory of 2472	2348	net.exe	43
PID 2348 wrote to memory of 2472	2348	net.exe	43
PID 2348 wrote to memory of 2472	2348	net.exe	43
PID 2580 wrote to memory of 2764	2580	net.exe	42
PID 2580 wrote to memory of 2764	2580	net.exe	42
PID 2580 wrote to memory of 2764	2580	net.exe	42
PID 2580 wrote to memory of 2764	2580	net.exe	42
PID 544 wrote to memory of 2940	544	net.exe	44
PID 544 wrote to memory of 2940	544	net.exe	44
PID 544 wrote to memory of 2940	544	net.exe	44
PID 544 wrote to memory of 2940	544	net.exe	44
PID 2604 wrote to memory of 2792	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	45
PID 2604 wrote to memory of 2792	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	45
PID 2604 wrote to memory of 2792	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	45
PID 2604 wrote to memory of 2792	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	45
PID 2144 wrote to memory of 2820	2144	net.exe	46
PID 2144 wrote to memory of 2820	2144	net.exe	46
PID 2144 wrote to memory of 2820	2144	net.exe	46
PID 2144 wrote to memory of 2820	2144	net.exe	46
PID 2028 wrote to memory of 2748	2028	net.exe	47
PID 2028 wrote to memory of 2748	2028	net.exe	47
PID 2028 wrote to memory of 2748	2028	net.exe	47
PID 2028 wrote to memory of 2748	2028	net.exe	47
PID 2792 wrote to memory of 2676	2792	wmnet.exe	48
PID 2792 wrote to memory of 2676	2792	wmnet.exe	48
PID 2792 wrote to memory of 2676	2792	wmnet.exe	48
PID 2792 wrote to memory of 2676	2792	wmnet.exe	48
PID 2792 wrote to memory of 2676	2792	wmnet.exe	48
PID 2792 wrote to memory of 2704	2792	wmnet.exe	49
PID 2792 wrote to memory of 2704	2792	wmnet.exe	49
PID 2792 wrote to memory of 2704	2792	wmnet.exe	49
PID 2792 wrote to memory of 2704	2792	wmnet.exe	49
PID 2604 wrote to memory of 2612	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	51
PID 2604 wrote to memory of 2612	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	51
PID 2604 wrote to memory of 2612	2604	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	51

C:\Users\Admin\AppData\Local\Temp\13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    about:blank
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\wmnet.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
596KB

MD5
9ffb0e688f848104137131d9c490448f

SHA1
ef5f9ce20543299b5c5bec334288d16b9a032d10

SHA256
c96ee198b28c9a5c41f86e2e5f56cbec4de7f6168aeee9a045c893643ed5f4c4

SHA512
f94bc13b6d19454e8f82f0734522de3957c24aec7081f767ccb33f9aa00497b99e593ccd14179306493388746e62dcdf97febc95ee0e1108fdcf5f459601d4a9

Download Submit
memory/2604-12-0x000000000F000000-0x000000000F081000-memory.dmp

Filesize
516KB

Download
memory/2792-11-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download