27c17ac228efd949472eb6ae39a06bdd03800c844493dcca403fd796f28ea264

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
Size

408KB
MD5

c0295dea3276f496ecdcbb7f09c211b5
SHA1

86313c5b2a137c9cf2115efc391fe150ccce9f80
SHA256

27c17ac228efd949472eb6ae39a06bdd03800c844493dcca403fd796f28ea264
SHA512

bc65a6f18df716ab98110efa38dc1d1f8f57c1414f5d97a74e243baa053ae55d84a10f7cf073b88e2c713d527db53c4bc1bb6527c07429177619ecdbc0bff407
SSDEEP

12288:1tV9+YJrk3Nmj2nWFEqnxKkCb67CvSjJ2F8qlAXVvsX5x5sP:F9o77qn/O671J2Mq/5e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
932	winlogom.exe
3468	winlogom.exe
1576	winlogom.exe
456	winlogom.exe
2440	winlogom.exe
4932	winlogom.exe
4792	winlogom.exe
2764	winlogom.exe
4664	winlogom.exe
4152	winlogom.exe
2380	winlogom.exe
3636	winlogom.exe
4748	winlogom.exe
860	winlogom.exe
1612	winlogom.exe
3836	winlogom.exe
2896	winlogom.exe
2964	winlogom.exe
3328	winlogom.exe
3760	winlogom.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File opened for modification	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe
File created	C:\Windows\SysWOW64\winlogom.exe	winlogom.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4664 set thread context of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 932 set thread context of 3468	932	winlogom.exe	89
PID 1576 set thread context of 456	1576	winlogom.exe	98
PID 2440 set thread context of 4932	2440	winlogom.exe	101
PID 4792 set thread context of 2764	4792	winlogom.exe	105
PID 4664 set thread context of 4152	4664	winlogom.exe	107
PID 2380 set thread context of 3636	2380	winlogom.exe	110
PID 4748 set thread context of 860	4748	winlogom.exe	112
PID 1612 set thread context of 3836	1612	winlogom.exe	122
PID 2896 set thread context of 2964	2896	winlogom.exe	124
PID 3328 set thread context of 3760	3328	winlogom.exe	129

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 4664 wrote to memory of 3312	4664	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	84
PID 3312 wrote to memory of 932	3312	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	86
PID 3312 wrote to memory of 932	3312	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	86
PID 3312 wrote to memory of 932	3312	c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe	86
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 932 wrote to memory of 3468	932	winlogom.exe	89
PID 3468 wrote to memory of 1576	3468	winlogom.exe	97
PID 3468 wrote to memory of 1576	3468	winlogom.exe	97
PID 3468 wrote to memory of 1576	3468	winlogom.exe	97
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 1576 wrote to memory of 456	1576	winlogom.exe	98
PID 456 wrote to memory of 2440	456	winlogom.exe	100
PID 456 wrote to memory of 2440	456	winlogom.exe	100
PID 456 wrote to memory of 2440	456	winlogom.exe	100
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 2440 wrote to memory of 4932	2440	winlogom.exe	101
PID 4932 wrote to memory of 4792	4932	winlogom.exe	104
PID 4932 wrote to memory of 4792	4932	winlogom.exe	104
PID 4932 wrote to memory of 4792	4932	winlogom.exe	104
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 4792 wrote to memory of 2764	4792	winlogom.exe	105
PID 2764 wrote to memory of 4664	2764	winlogom.exe	106
PID 2764 wrote to memory of 4664	2764	winlogom.exe	106

C:\Users\Admin\AppData\Local\Temp\c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\winlogom.exe
    C:\Windows\system32\winlogom.exe 1120 "C:\Users\Admin\AppData\Local\Temp\c0295dea3276f496ecdcbb7f09c211b5_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\winlogom.exe
      C:\Windows\SysWOW64\winlogom.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1148 "C:\Windows\SysWOW64\winlogom.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1120 "C:\Windows\SysWOW64\winlogom.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1124 "C:\Windows\SysWOW64\winlogom.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1124 "C:\Windows\SysWOW64\winlogom.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1120 "C:\Windows\SysWOW64\winlogom.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1120 "C:\Windows\SysWOW64\winlogom.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1120 "C:\Windows\SysWOW64\winlogom.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1120 "C:\Windows\SysWOW64\winlogom.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\system32\winlogom.exe 1120 "C:\Windows\SysWOW64\winlogom.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Windows\SysWOW64\winlogom.exe
        
        C:\Windows\SysWOW64\winlogom.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winlogom.exe

Filesize
408KB

MD5
c0295dea3276f496ecdcbb7f09c211b5

SHA1
86313c5b2a137c9cf2115efc391fe150ccce9f80

SHA256
27c17ac228efd949472eb6ae39a06bdd03800c844493dcca403fd796f28ea264

SHA512
bc65a6f18df716ab98110efa38dc1d1f8f57c1414f5d97a74e243baa053ae55d84a10f7cf073b88e2c713d527db53c4bc1bb6527c07429177619ecdbc0bff407

Download Submit
memory/456-24-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/456-27-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/860-62-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2764-41-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/2964-76-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3312-2-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3312-3-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3312-0-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3312-16-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3468-17-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3468-18-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3636-55-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3760-83-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/3836-69-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4152-48-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download
memory/4932-34-0x0000000000400000-0x0000000000503000-memory.dmp

Filesize
1.0MB

Download