2bfeecb07dac4cfbc5aac46cda268086591c04a48143fd9b655d6a9a49fa1e4a

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
Size

2.1MB
MD5

ecdb578d7aab5ba42c2c99bdb80eaa28
SHA1

532c6a870df0451d157f6cea55e2e3e3ea4a38de
SHA256

2bfeecb07dac4cfbc5aac46cda268086591c04a48143fd9b655d6a9a49fa1e4a
SHA512

f6e8bd93564b29cec70c66a18d0a323abebc5a7268c82d97450c41bebd94d280aab354fc1c007cd37336cf80eea1e380197dba7daaf32269787d896d341f4d7f
SSDEEP

192:c2/2VgqKGxmQtAy2dNQOa099GfsvYgmhT9zHJxhlQtAwimP1oyG+RakdG:c2/vg0xlGHjRNvQtAjQ14+tE

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\Googleqs.exe"	Googleqs.exe

Deletes itself 1 IoCs

pid	Process
4740	Googleqs.exe

Executes dropped EXE 2 IoCs

pid	Process
2452	Googleqs.exe
4740	Googleqs.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
File created	C:\Windows\Googleqs.exe	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
File opened for modification	C:\Windows\Googleqs.exe	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
File created	C:\Windows\Debugs.inf	Googleqs.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googleqs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googleqs.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 4760	3220	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	82
PID 3220 wrote to memory of 4760	3220	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	82
PID 3220 wrote to memory of 4760	3220	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	82
PID 4760 wrote to memory of 2452	4760	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	83
PID 4760 wrote to memory of 2452	4760	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	83
PID 4760 wrote to memory of 2452	4760	ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe	83
PID 2452 wrote to memory of 4740	2452	Googleqs.exe	84
PID 2452 wrote to memory of 4740	2452	Googleqs.exe	84
PID 2452 wrote to memory of 4740	2452	Googleqs.exe	84

C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ecdb578d7aab5ba42c2c99bdb80eaa28_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\Googleqs.exe
    "C:\Windows\Googleqs.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\Googleqs.exe
      "C:\Windows\Googleqs.exe"
      4⤵
      Modifies WinLogon for persistence
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
9b33a07f304bceb598b916c992017a68

SHA1
116d187cd7c8ef6372e51b43d3300d930adeb4fe

SHA256
7c482e5d9a560d2a44cd538268501773e1c18b29f18382f599276f8937a1e830

SHA512
0571c6de775f9301b522fbc57fbfbf0117ff6e662742804d168e2c072be307ec663bf8f55846b478fb88f5ecc38c3d96f6e980a4bc51bf77ec4ff6b7b6e10c5d

Download Submit
C:\Windows\Googleqs.exe

Filesize
2.7MB

MD5
dcc736ea521686e405b264d55a71a353

SHA1
0cd8779340f28f05fc4cdcae49c55775186175c9

SHA256
a7970908d891ecc20be7afff0a736e9f6ff500247dcbf3a95b9aa82bf6a09441

SHA512
3e114276adb6365bd997b846d2f1c2506b45b6d53b2aaf9033f7a2389e43cc05b6d588f44f994954f3aba0436fdb38774f2fe5014cebd58279eb8c93db7590ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads