Analysis Overview
SHA256
93b304f118709f87fc7233fea68eeb6471d4eb5bb2c2d81684e1fea1a03e82cf
Threat Level: Known bad
The file 7717f4dc57fe4ba6ff71c5404318b6b0_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
HawkEye
Credentials from Password Stores: Credentials from Web Browsers
Drops file in Drivers directory
Checks computer location settings
Reads local data of messenger clients
Reads data files stored by FTP clients
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Deletes itself
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-27 04:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 04:43
Reported
2024-07-30 06:24
Platform
win7-20240708-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe
"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe"
Network
Files
memory/2308-0-0x0000000000B80000-0x00000000011C4000-memory.dmp
memory/2308-1-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2308-2-0x00000000740EE000-0x00000000740EF000-memory.dmp
memory/2308-3-0x0000000000B80000-0x00000000011C4000-memory.dmp
memory/2308-4-0x0000000000B80000-0x00000000011C4000-memory.dmp
memory/2308-5-0x00000000740E0000-0x00000000747CE000-memory.dmp
memory/2308-6-0x00000000740E0000-0x00000000747CE000-memory.dmp
memory/2308-8-0x0000000000B80000-0x00000000011C4000-memory.dmp
memory/2308-10-0x00000000740EE000-0x00000000740EF000-memory.dmp
memory/2308-11-0x00000000740E0000-0x00000000747CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 04:43
Reported
2024-07-30 06:24
Platform
win10v2004-20240709-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe
"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\PLogger P8 gold Edi.6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/856-0-0x0000000000090000-0x00000000006D4000-memory.dmp
memory/856-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
memory/856-2-0x000000007421E000-0x000000007421F000-memory.dmp
memory/856-3-0x0000000000090000-0x00000000006D4000-memory.dmp
memory/856-4-0x0000000000090000-0x00000000006D4000-memory.dmp
memory/856-5-0x0000000006510000-0x00000000065AC000-memory.dmp
memory/856-6-0x0000000006B60000-0x0000000007104000-memory.dmp
memory/856-7-0x0000000006750000-0x00000000067E2000-memory.dmp
memory/856-10-0x0000000074210000-0x00000000749C0000-memory.dmp
memory/856-9-0x00000000067F0000-0x0000000006846000-memory.dmp
memory/856-8-0x00000000064E0000-0x00000000064EA000-memory.dmp
memory/856-11-0x0000000074210000-0x00000000749C0000-memory.dmp
memory/856-13-0x0000000000090000-0x00000000006D4000-memory.dmp
memory/856-15-0x000000007421E000-0x000000007421F000-memory.dmp
memory/856-16-0x0000000074210000-0x00000000749C0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-27 04:43
Reported
2024-07-30 06:24
Platform
win7-20240704-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
HawkEye
Credentials from Password Stores: Credentials from Web Browsers
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3064 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 3064 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 3064 wrote to memory of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe
"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| IE | 74.125.193.109:587 | smtp.gmail.com | tcp |
| IE | 74.125.193.109:587 | smtp.gmail.com | tcp |
Files
memory/3064-0-0x000007FEF625E000-0x000007FEF625F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 6c4e602268e4b8bd575b7db917e48831 |
| SHA1 | 870ff297863a9248b5a12339a38328eed6390d13 |
| SHA256 | 26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740 |
| SHA512 | b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e |
memory/3064-7-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/3064-8-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-9-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-10-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/3064-11-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | c356a02c7f1a1918794aef71af9b4b2c |
| SHA1 | 6de454586b976a4adafb43de81fe706b0b93a949 |
| SHA256 | fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7 |
| SHA512 | a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f |
memory/2276-13-0x0000000000A10000-0x0000000000A38000-memory.dmp
memory/2276-14-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-15-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-16-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-20-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-21-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-22-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-23-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-24-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
memory/2276-25-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-27 04:43
Reported
2024-07-30 06:24
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
HawkEye
Credentials from Password Stores: Credentials from Web Browsers
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 2620 wrote to memory of 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe
"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| IE | 74.125.193.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| IE | 74.125.193.109:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2620-0-0x00007FFB90155000-0x00007FFB90156000-memory.dmp
memory/2620-1-0x000000001C210000-0x000000001C6DE000-memory.dmp
memory/2620-2-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/2620-3-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/2620-4-0x000000001C7D0000-0x000000001C876000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 6c4e602268e4b8bd575b7db917e48831 |
| SHA1 | 870ff297863a9248b5a12339a38328eed6390d13 |
| SHA256 | 26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740 |
| SHA512 | b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e |
memory/2620-18-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-19-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-20-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-21-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | c356a02c7f1a1918794aef71af9b4b2c |
| SHA1 | 6de454586b976a4adafb43de81fe706b0b93a949 |
| SHA256 | fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7 |
| SHA512 | a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f |
memory/1052-23-0x000000001C7B0000-0x000000001C812000-memory.dmp
memory/1052-24-0x000000001CF60000-0x000000001CFFC000-memory.dmp
memory/1052-25-0x000000001C710000-0x000000001C738000-memory.dmp
memory/1052-27-0x000000001D4C0000-0x000000001D50C000-memory.dmp
memory/1052-26-0x000000001C6D0000-0x000000001C6D8000-memory.dmp
memory/1052-28-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-29-0x000000001FD00000-0x000000002000E000-memory.dmp
memory/1052-30-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-34-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-35-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp
memory/1052-36-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmp