Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 00:10
Static task
static1
Behavioral task
behavioral1
Sample
26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe
-
Size
22KB
-
MD5
26c11cfa8bc27f5deddcb89ed32ee3b7
-
SHA1
0f85860383685f51f700bbc57ea08b00201c651c
-
SHA256
9489ce23ffced58c9247089d34fc4edbe66be27afda764e74fa40ff639be4ffc
-
SHA512
d16543b23b69db8d9efe5c62308f20f909e6ae156fd3b967cc5acd5f14aac04dc6b14c2ba5098a40b84a99b7f3517b447135ea20c9008e403ed2dcb6268f3941
-
SSDEEP
384:iMiNPiiiEGBXloBoymt4RmJoP1+vd+7xVbFNiM8oEAe/jh31fc+i2RE5u8N55Y:iM6iEOVo+ye4Rmnvex9FNqbT/jx1cfUD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
21.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,rundll32.exe c:\\Progra~1\\mhzx\\tlmhzx1104.dll Start," 21.exe -
Executes dropped EXE 1 IoCs
Processes:
21.exepid process 4972 21.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3264 rundll32.exe -
Processes:
resource yara_rule \??\c:\Progra~1\mhzx\tlmhzx1104.dll vmprotect behavioral2/memory/3264-17-0x0000000010000000-0x000000001000D000-memory.dmp vmprotect behavioral2/memory/3264-21-0x0000000010000000-0x000000001000D000-memory.dmp vmprotect -
Drops file in Program Files directory 5 IoCs
Processes:
21.exedescription ioc process File opened for modification C:\Program Files\tlmhzx.dat 21.exe File created C:\Program Files\tlmhzx.dat 21.exe File opened for modification C:\Program Files\tlmhzx2.dat 21.exe File created C:\Program Files\tlmhzx2.dat 21.exe File created C:\Program Files\mhzx\tlmhzx1104.dll 21.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
21.exerundll32.exepid process 4972 21.exe 4972 21.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
21.exepid process 4972 21.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe21.exedescription pid process target process PID 3772 wrote to memory of 4972 3772 26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe 21.exe PID 3772 wrote to memory of 4972 3772 26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe 21.exe PID 3772 wrote to memory of 4972 3772 26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe 21.exe PID 4972 wrote to memory of 3264 4972 21.exe rundll32.exe PID 4972 wrote to memory of 3264 4972 21.exe rundll32.exe PID 4972 wrote to memory of 3264 4972 21.exe rundll32.exe PID 4972 wrote to memory of 4400 4972 21.exe cmd.exe PID 4972 wrote to memory of 4400 4972 21.exe cmd.exe PID 4972 wrote to memory of 4400 4972 21.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26c11cfa8bc27f5deddcb89ed32ee3b7_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21.exe21.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe c:\Progra~1\mhzx\tlmhzx1104.dll Start3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\21.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\21.exeFilesize
64KB
MD58fb5f989b7421a044ea968b921fa5ba9
SHA1c3c9eb565dd69d27cef7c03585149c1a8c2684de
SHA2563f64e2b60f321cdcbe1682ef45730e68eea3763b6b72b143c7dfa2f9ce8360db
SHA512ab87277bc18633d30bc7d749af4ddf92a31438a617becb7f1d7e6193af950d00a67e2fffeb32c8f00ff1c1239575b98f11fc15e780238371244bda195fe5278b
-
C:\Users\Admin\AppData\Local\Temp\Sun3.exeFilesize
64KB
MD5e062554c114d711a946ff413d44b38f7
SHA14182e651adb529d48f139e81693c4b23423c2b3c
SHA2569dfa4ddd8b410cb5c22bd653557cb24f5b66b7ed60da98269ac48a50c2e7bd91
SHA51271847ee706a31f2f72731bf21cfd211a5a9043e40b0b61849600d18fc7630062e12550b0f0b40842de9facadacac5eb8faa01cb0fc89d4ca7dbeedc481325f89
-
\??\c:\Progra~1\mhzx\tlmhzx1104.dllFilesize
48KB
MD5a5d0aae909eabbd2e28babd6c2233683
SHA1ac0fb5bc3f5b2a7093379c8222be9de02376f715
SHA256483a488f495b3018d72f1e807435dfc1f840be8ffa9ae49985c39eee0fe7a48e
SHA5129dcec3b6454109dcb639b73502cdd516b2e177b6959799bc62416ee79e182bb38de33c94005fbb1e8299fa4fd4c99bc0c7d621282653d1c4517d7a655a90ef4d
-
memory/3264-17-0x0000000010000000-0x000000001000D000-memory.dmpFilesize
52KB
-
memory/3264-21-0x0000000010000000-0x000000001000D000-memory.dmpFilesize
52KB