e12431896184060e3bf3c8d25913db7119ab2417504db05f0477483605d513b5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe
Size

17.6MB
MD5

4debd045774eec54d76b00e78c1259a5
SHA1

2f533d5f5b0ff74f75b2a8a8f77ec1b673c446a8
SHA256

e12431896184060e3bf3c8d25913db7119ab2417504db05f0477483605d513b5
SHA512

773dc18dc105f74f87de5af6fff507fa1511d5cb56b8f141afd52ac68e27bf808b407239f658ff0f49b4b3dcc8f0df9fd39a8cf0cae54665cf76558af3bf724b
SSDEEP

192:i2VAKqGxc49My2dNQOm49A476byj9zHJeyJ+43cDimP1oydUV8z5L/CldolMGoVT:iPqcxwAd+43cWQ1jUa1LCcM4aeWFj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\Googlets.exe"	Googlets.exe

Deletes itself 1 IoCs

pid	Process
4152	Googlets.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	Googlets.exe
4152	Googlets.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe
File created	C:\Windows\Googlets.exe	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlets.exe	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googlets.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 2980	3424	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe	83
PID 3424 wrote to memory of 2980	3424	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe	83
PID 3424 wrote to memory of 2980	3424	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe	83
PID 2980 wrote to memory of 3056	2980	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe	87
PID 2980 wrote to memory of 3056	2980	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe	87
PID 2980 wrote to memory of 3056	2980	4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe	87
PID 3056 wrote to memory of 4152	3056	Googlets.exe	88
PID 3056 wrote to memory of 4152	3056	Googlets.exe	88
PID 3056 wrote to memory of 4152	3056	Googlets.exe	88

C:\Users\Admin\AppData\Local\Temp\4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4debd045774eec54d76b00e78c1259a5_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\Googlets.exe
    "C:\Windows\Googlets.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\Googlets.exe
      "C:\Windows\Googlets.exe"
      4⤵
      Modifies WinLogon for persistence
      Deletes itself
      Executes dropped EXE
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
2d2caf5edee706d75de553ce945e70eb

SHA1
64cc05e73cf143ad4496a528e5534f1833a82915

SHA256
8115eb68f44bdd0b1cf43479bc3bd22b11e2ee295e954627eadbdf834a636fc3

SHA512
f8ea84414ee3170eb1577ac7c5d9cb5336f9af7ba942ff4f648e6d72383508cc6ac1951ac266c7370846a61705cd1eae1f6918cecabca10cbc5d1e751ae817a8

Download Submit
C:\Windows\Googlets.exe

Filesize
42.8MB

MD5
37ae59b043eafc6099afaeadb2ab3faa

SHA1
65ba79356f6781d9f7bc30a01df0f09ad2c9a0b8

SHA256
fdd3fbf8fdc992e7d294b9157027cad1b56ae84e95dfa51de639b2a1a254a6d4

SHA512
b5747989aa1f3df14531480f49b2d47b705958b3fad9003420562bd5be7697126f06e53ab80ced75a23e13b761d641c08e95a3ff2a1d6018fc0a405efacb1960

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads