2bfeecb07dac4cfbc5aac46cda268086591c04a48143fd9b655d6a9a49fa1e4a

General

Target

ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
Size

2.1MB
MD5

ecdb578d7aab5ba42c2c99bdb80eaa28
SHA1

532c6a870df0451d157f6cea55e2e3e3ea4a38de
SHA256

2bfeecb07dac4cfbc5aac46cda268086591c04a48143fd9b655d6a9a49fa1e4a
SHA512

f6e8bd93564b29cec70c66a18d0a323abebc5a7268c82d97450c41bebd94d280aab354fc1c007cd37336cf80eea1e380197dba7daaf32269787d896d341f4d7f
SSDEEP

192:c2/2VgqKGxmQtAy2dNQOa099GfsvYgmhT9zHJxhlQtAwimP1oyG+RakdG:c2/vg0xlGHjRNvQtAjQ14+tE

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exeC:\\Windows\\Googlets.exe"	Googlets.exe

Deletes itself 1 IoCs

pid	Process
2880	Googlets.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	Googlets.exe
2880	Googlets.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
File created	C:\Windows\Googlets.exe	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlets.exe	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googlets.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlets.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2548	2528	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2548	2528	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2548	2528	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2548	2528	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	30
PID 2548 wrote to memory of 1248	2548	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1248	2548	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1248	2548	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	31
PID 2548 wrote to memory of 1248	2548	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	31
PID 1248 wrote to memory of 2880	1248	Googlets.exe	32
PID 1248 wrote to memory of 2880	1248	Googlets.exe	32
PID 1248 wrote to memory of 2880	1248	Googlets.exe	32
PID 1248 wrote to memory of 2880	1248	Googlets.exe	32

C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Googlets.exe
    "C:\Windows\Googlets.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\Googlets.exe
      "C:\Windows\Googlets.exe"
      4⤵
      Modifies WinLogon for persistence
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
9b33a07f304bceb598b916c992017a68

SHA1
116d187cd7c8ef6372e51b43d3300d930adeb4fe

SHA256
7c482e5d9a560d2a44cd538268501773e1c18b29f18382f599276f8937a1e830

SHA512
0571c6de775f9301b522fbc57fbfbf0117ff6e662742804d168e2c072be307ec663bf8f55846b478fb88f5ecc38c3d96f6e980a4bc51bf77ec4ff6b7b6e10c5d

Download Submit
C:\Windows\Googlets.exe

Filesize
22.1MB

MD5
3561f28e223d7d5cc34413018bdd6749

SHA1
5ae0b94f4bf030dde3a6e62771c893b1f2d78442

SHA256
379138d74119e56a8d0f9d4f91ea4b0da432c7e77736d4191167808d1495325c

SHA512
aff65f9ef8358fbf364d29c79e150ed6f9e9bbad6819291a511be4c2a07d29ac5c4298321e0c8043b31edf4385d4514067e40051147b87b19117edcab39f1643

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads