9489ce23ffced58c9247089d34fc4edbe66be27afda764e74fa40ff639be4ffc

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
Size

22KB
MD5

26c11cfa8bc27f5deddcb89ed32ee3b7
SHA1

0f85860383685f51f700bbc57ea08b00201c651c
SHA256

9489ce23ffced58c9247089d34fc4edbe66be27afda764e74fa40ff639be4ffc
SHA512

d16543b23b69db8d9efe5c62308f20f909e6ae156fd3b967cc5acd5f14aac04dc6b14c2ba5098a40b84a99b7f3517b447135ea20c9008e403ed2dcb6268f3941
SSDEEP

384:iMiNPiiiEGBXloBoymt4RmJoP1+vd+7xVbFNiM8oEAe/jh31fc+i2RE5u8N55Y:iM6iEOVo+ye4Rmnvex9FNqbT/jx1cfUD

Score

10^/10

persistence vmprotect

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

21.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,rundll32.exe c:\\Progra~1\\mhzx\\tlmhzx1104.dll Start,"	21.exe

Executes dropped EXE 1 IoCs

Processes:

21.exe

pid process

1188 21.exe
Loads dropped DLL 6 IoCs

Processes:

26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exerundll32.exe

pid process

2188 26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
2188 26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
3056 rundll32.exe
3056 rundll32.exe
3056 rundll32.exe
3056 rundll32.exe

pid	process
2188	26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
2188	26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\??\c:\Progra~1\mhzx\tlmhzx1104.dll	vmprotect
behavioral1/memory/3056-25-0x0000000010000000-0x000000001000D000-memory.dmp	vmprotect
behavioral1/memory/3056-29-0x0000000010000000-0x000000001000D000-memory.dmp	vmprotect

Drops file in Program Files directory 5 IoCs

Processes:

21.exe

description	ioc	process
File opened for modification	C:\Program Files\tlmhzx.dat	21.exe
File created	C:\Program Files\tlmhzx.dat	21.exe
File opened for modification	C:\Program Files\tlmhzx2.dat	21.exe
File created	C:\Program Files\tlmhzx2.dat	21.exe
File created	C:\Program Files\mhzx\tlmhzx1104.dll	21.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

21.exerundll32.exe

pid	process
1188	21.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe
3056	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

21.exe

pid process

1188 21.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe21.exe

description	pid	process	target process
PID 2188 wrote to memory of 1188	2188	26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe	21.exe
PID 2188 wrote to memory of 1188	2188	26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe	21.exe
PID 2188 wrote to memory of 1188	2188	26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe	21.exe
PID 2188 wrote to memory of 1188	2188	26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe	21.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 3056	1188	21.exe	rundll32.exe
PID 1188 wrote to memory of 2996	1188	21.exe	cmd.exe
PID 1188 wrote to memory of 2996	1188	21.exe	cmd.exe
PID 1188 wrote to memory of 2996	1188	21.exe	cmd.exe
PID 1188 wrote to memory of 2996	1188	21.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\21.exe
21.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe c:\Progra~1\mhzx\tlmhzx1104.dll Start
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\21.exe
3⤵
PID:2996

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sun3.exe
Filesize
64KB

MD5
e062554c114d711a946ff413d44b38f7

SHA1
4182e651adb529d48f139e81693c4b23423c2b3c

SHA256
9dfa4ddd8b410cb5c22bd653557cb24f5b66b7ed60da98269ac48a50c2e7bd91

SHA512
71847ee706a31f2f72731bf21cfd211a5a9043e40b0b61849600d18fc7630062e12550b0f0b40842de9facadacac5eb8faa01cb0fc89d4ca7dbeedc481325f89

Download Submit
\??\c:\Progra~1\mhzx\tlmhzx1104.dll
Filesize
48KB

MD5
a5d0aae909eabbd2e28babd6c2233683

SHA1
ac0fb5bc3f5b2a7093379c8222be9de02376f715

SHA256
483a488f495b3018d72f1e807435dfc1f840be8ffa9ae49985c39eee0fe7a48e

SHA512
9dcec3b6454109dcb639b73502cdd516b2e177b6959799bc62416ee79e182bb38de33c94005fbb1e8299fa4fd4c99bc0c7d621282653d1c4517d7a655a90ef4d

Download Submit
\Users\Admin\AppData\Local\Temp\21.exe
Filesize
64KB

MD5
8fb5f989b7421a044ea968b921fa5ba9

SHA1
c3c9eb565dd69d27cef7c03585149c1a8c2684de

SHA256
3f64e2b60f321cdcbe1682ef45730e68eea3763b6b72b143c7dfa2f9ce8360db

SHA512
ab87277bc18633d30bc7d749af4ddf92a31438a617becb7f1d7e6193af950d00a67e2fffeb32c8f00ff1c1239575b98f11fc15e780238371244bda195fe5278b

Download Submit
memory/3056-25-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download
memory/3056-29-0x0000000010000000-0x000000001000D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads