8886cc1b9facb1d083fe81b8789352e62ddf98ff9217cf2d5d9ae9966f9c7dfe

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Size

485KB
MD5

13eb27e13093204ffed936e4f74fa4a0
SHA1

8c6a49265f59720917729072762be91a2039aaf0
SHA256

8886cc1b9facb1d083fe81b8789352e62ddf98ff9217cf2d5d9ae9966f9c7dfe
SHA512

79c5887bafcbed88fd01593d70c891acc5ff5740f7267c2c9c363d25c723ab14ce124d002ae59c3b7bf777f022243db315e388ab4b3c1019b845a970d7df1986
SSDEEP

12288:iroCc//////azg728wDtJOJ35ed+GU0ymlOEF+JXPBlkJ2EvmpC8+T:AoCc//////agkDtJwN0yNEFqXPBeT

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Kvmon.exe -ini"	wmnet.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	wmnet.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Progra~1\Realtek\ADPPath\RTHDCPL.exe	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Kvmon.exe	wmnet.exe
File opened for modification	C:\Windows\Kvmon.exe	wmnet.exe
File created	C:\Windows\Kvmon.dll	wmnet.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmnet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
Token: SeDebugPrivilege	2860	wmnet.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 220	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	89
PID 2280 wrote to memory of 220	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	89
PID 2280 wrote to memory of 220	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	89
PID 2280 wrote to memory of 2096	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	90
PID 2280 wrote to memory of 2096	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	90
PID 2280 wrote to memory of 2096	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	90
PID 2280 wrote to memory of 2196	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	91
PID 2280 wrote to memory of 2196	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	91
PID 2280 wrote to memory of 2196	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	91
PID 2280 wrote to memory of 5024	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	95
PID 2280 wrote to memory of 5024	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	95
PID 2280 wrote to memory of 5024	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	95
PID 2280 wrote to memory of 2180	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	96
PID 2280 wrote to memory of 2180	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	96
PID 2280 wrote to memory of 2180	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	96
PID 2280 wrote to memory of 2844	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	97
PID 2280 wrote to memory of 2844	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	97
PID 2280 wrote to memory of 2844	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	97
PID 220 wrote to memory of 5116	220	net.exe	101
PID 220 wrote to memory of 5116	220	net.exe	101
PID 220 wrote to memory of 5116	220	net.exe	101
PID 2096 wrote to memory of 2192	2096	net.exe	102
PID 2096 wrote to memory of 2192	2096	net.exe	102
PID 2096 wrote to memory of 2192	2096	net.exe	102
PID 2196 wrote to memory of 4388	2196	net.exe	103
PID 2196 wrote to memory of 4388	2196	net.exe	103
PID 2196 wrote to memory of 4388	2196	net.exe	103
PID 5024 wrote to memory of 2076	5024	net.exe	104
PID 5024 wrote to memory of 2076	5024	net.exe	104
PID 5024 wrote to memory of 2076	5024	net.exe	104
PID 2180 wrote to memory of 1140	2180	net.exe	106
PID 2180 wrote to memory of 1140	2180	net.exe	106
PID 2180 wrote to memory of 1140	2180	net.exe	106
PID 2280 wrote to memory of 2860	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	105
PID 2280 wrote to memory of 2860	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	105
PID 2280 wrote to memory of 2860	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	105
PID 2844 wrote to memory of 2336	2844	net.exe	107
PID 2844 wrote to memory of 2336	2844	net.exe	107
PID 2844 wrote to memory of 2336	2844	net.exe	107
PID 2860 wrote to memory of 4452	2860	wmnet.exe	108
PID 2860 wrote to memory of 4452	2860	wmnet.exe	108
PID 2860 wrote to memory of 4452	2860	wmnet.exe	108
PID 2860 wrote to memory of 736	2860	wmnet.exe	111
PID 2860 wrote to memory of 736	2860	wmnet.exe	111
PID 2860 wrote to memory of 736	2860	wmnet.exe	111
PID 2280 wrote to memory of 2840	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	117
PID 2280 wrote to memory of 2840	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	117
PID 2280 wrote to memory of 2840	2280	13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13eb27e13093204ffed936e4f74fa4a0_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4388
- C:\Windows\SysWOW64\net.exe
  net stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2076
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  C:\Users\Admin\AppData\Local\Temp\wmnet.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    about:blank
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\wmnet.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\avp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wmnet.exe

Filesize
596KB

MD5
9ffb0e688f848104137131d9c490448f

SHA1
ef5f9ce20543299b5c5bec334288d16b9a032d10

SHA256
c96ee198b28c9a5c41f86e2e5f56cbec4de7f6168aeee9a045c893643ed5f4c4

SHA512
f94bc13b6d19454e8f82f0734522de3957c24aec7081f767ccb33f9aa00497b99e593ccd14179306493388746e62dcdf97febc95ee0e1108fdcf5f459601d4a9

Download Submit
memory/2280-7-0x000000000F000000-0x000000000F081000-memory.dmp

Filesize
516KB

Download
memory/2860-6-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download