ced3f69c5015fda2df1fe2a1a2a1ee84941c2370b62f34cd2d104def12046d29

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
Size

9.1MB
MD5

ee29f7159117c6c5c3ee081947025254
SHA1

565ceb57559ce367ab740b928fc547661b0aad7f
SHA256

ced3f69c5015fda2df1fe2a1a2a1ee84941c2370b62f34cd2d104def12046d29
SHA512

f5c79a0881599abdd037d9df3107d75e24a5d77459cc1cf5e9b69ed29a92082d69a65c33ade2089fe4430a95a91cb7ed4583262b970c6773d53760b560a2276c
SSDEEP

192:8/2VgKqGxoQt0y2dNQOa099G/OAYvbyj9zHJeyJ+43cDimP1oydUb8z5L/Cldoli:8/vmExlGqwd+43cWQ1jUA1LCcM4aeWFJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\Googlegd.exe"	Googlegd.exe

Deletes itself 1 IoCs

pid	Process
1760	Googlegd.exe

Executes dropped EXE 2 IoCs

pid	Process
5084	Googlegd.exe
1760	Googlegd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Debugs.inf	Googlegd.exe
File created	C:\Windows\Debugs.inf	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
File created	C:\Windows\Googlegd.exe	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
File opened for modification	C:\Windows\Googlegd.exe	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Googlegd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1420	1836	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe	82
PID 1836 wrote to memory of 1420	1836	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe	82
PID 1836 wrote to memory of 1420	1836	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe	82
PID 1420 wrote to memory of 5084	1420	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe	83
PID 1420 wrote to memory of 5084	1420	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe	83
PID 1420 wrote to memory of 5084	1420	ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe	83
PID 5084 wrote to memory of 1760	5084	Googlegd.exe	84
PID 5084 wrote to memory of 1760	5084	Googlegd.exe	84
PID 5084 wrote to memory of 1760	5084	Googlegd.exe	84

C:\Users\Admin\AppData\Local\Temp\ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ee29f7159117c6c5c3ee081947025254_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\Googlegd.exe
    "C:\Windows\Googlegd.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\Googlegd.exe
      "C:\Windows\Googlegd.exe"
      4⤵
      Modifies WinLogon for persistence
      Deletes itself
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MyTemp

Filesize
84B

MD5
daa0ccbbd9691901168264284cbeeb27

SHA1
04951899091e1d31a74bd04f76ca5bfbf2593c8a

SHA256
f2372cac48700cf4103312d65ef5c3a2aa6bf44cb21a1a6361775e7d913a2729

SHA512
41efeb4bd0e229be2734ee5d28e2df5e5312e87f468310720da894803766911e56d0b17994a06c537697c51764e8721b77108034b35bb0a8e128dc33a79e4b77

Download Submit
C:\Windows\Googlegd.exe

Filesize
21.2MB

MD5
db66fcc1b9903392a43197d3cc71e9c8

SHA1
674f5ec0d93d441f3d4bd1219854d1510805cf4d

SHA256
c2b161e52d402acbd0b00e320a36a58680670f67353e8a11de70e6cf1625c452

SHA512
bf8fc72b33a50d712286f9ca1b2aacc0ab80028f93a45d26e8dc23559a128b900e9ffd1001584d4a304e8269a0ba196c58f02e1933df6d2906c50ab6b9c31a9e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads