1c34911853772725511ac05ec32b06a1cc84a1a44c7781281e512cc92ef80ca8

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
Size

752KB
MD5

81c647da331f5ff778e901589cfaec68
SHA1

3338b0d1ef3aed4685d12e3ff136357c264c2e2c
SHA256

1c34911853772725511ac05ec32b06a1cc84a1a44c7781281e512cc92ef80ca8
SHA512

f86be632a6922541fad9118b38863256f25725470887db82f616331ebb729be73441761f2e6c61ab553a9cb3fcc06c603c1557a5c231e8048dc032fdb94fb691
SSDEEP

12288:B2AHzYq9e9ks1yMMcU45uNqJbrfBS3EU9LE0kVRi7TlcNKjsaE7pQ/qLJ48:ceYqUys1lCqJbzBST405xHxE7pyqLm

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4808	winlogin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\system32\\winlogin.exe\""	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winlogin.exe	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlogin.exe	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4808	winlogin.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4988	4248	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe	86
PID 4248 wrote to memory of 4988	4248	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe	86
PID 4248 wrote to memory of 4988	4248	81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe	86
PID 4988 wrote to memory of 4808	4988	cmd.exe	88
PID 4988 wrote to memory of 4808	4988	cmd.exe	88
PID 4988 wrote to memory of 4808	4988	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c647da331f5ff778e901589cfaec68_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /cC:\Windows\system32\winlogin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\winlogin.exe
    C:\Windows\system32\winlogin.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winlogin.exe

Filesize
752KB

MD5
81c647da331f5ff778e901589cfaec68

SHA1
3338b0d1ef3aed4685d12e3ff136357c264c2e2c

SHA256
1c34911853772725511ac05ec32b06a1cc84a1a44c7781281e512cc92ef80ca8

SHA512
f86be632a6922541fad9118b38863256f25725470887db82f616331ebb729be73441761f2e6c61ab553a9cb3fcc06c603c1557a5c231e8048dc032fdb94fb691

Download Submit
memory/4248-0-0x000000000050E000-0x000000000050F000-memory.dmp

Filesize
4KB

Download
memory/4248-1-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4248-5-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4808-9-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4808-10-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4808-13-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4808-14-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads