lgoogloader | d1659558b3083521cf5aaa0013c11b978fc9321253d164d06f810ed0710f7f84

General

Target

f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe
Size

60KB
MD5

f746430b531e636a1c403f0d0724343a
SHA1

a15c3f7127b4dad612ea7c98df836f69cd392db6
SHA256

d1659558b3083521cf5aaa0013c11b978fc9321253d164d06f810ed0710f7f84
SHA512

c02f2d349aa086dba7e9fc1e49eae6486cd030f319fef96903fee02d7729b6f22fbe3a0888118b1ab5d035d827e391d2fe2959f58fe7a7da0fbf4d5c2507558f
SSDEEP

768:pcTTIS1thTzm515fyHTFyowvh2AsM4TKkwubTM3kcCGSWeZyQMi2jXHU9:pcQS1nXTwzcpTKCEeZyX9rHU9

Score

10^/10

lgoogloader discovery downloader

Malware Config

Signatures

Detects LgoogLoader payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-2-0x0000000000010000-0x0000000000022000-memory.dmp	family_lgoogloader
behavioral2/memory/1564-4-0x0000000000A70000-0x0000000000A82000-memory.dmp	family_lgoogloader
behavioral2/memory/4752-9-0x0000000000010000-0x0000000000022000-memory.dmp	family_lgoogloader
behavioral2/memory/4752-7-0x0000000000010000-0x0000000000022000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Deletes itself 1 IoCs

Processes:

f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe

pid process

1564 f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe
Executes dropped EXE 2 IoCs

Processes:

nfohQDpFNZNq

pid process

4752 nfohQD
3692 pFNZNq

pid	process
1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe

pid	process
4752	nfohQD
3692	pFNZNq

Suspicious use of SetThreadContext 2 IoCs

Processes:

f746430b531e636a1c403f0d0724343a_JaffaCakes118.exenfohQD

description	pid	process	target process
PID 1564 set thread context of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 4752 set thread context of 3692	4752	nfohQD	pFNZNq

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5088 3692 WerFault.exe pFNZNq

pid	pid_target	process	target process
5088	3692	WerFault.exe	pFNZNq

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f746430b531e636a1c403f0d0724343a_JaffaCakes118.exenfohQDpFNZNq

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfohQD
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pFNZNq

Suspicious behavior: RenamesItself 1 IoCs

Processes:

f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe

pid process

1564 f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe

pid	process
1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f746430b531e636a1c403f0d0724343a_JaffaCakes118.exenfohQD

description	pid	process	target process
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 1564 wrote to memory of 4752	1564	f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe	nfohQD
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq
PID 4752 wrote to memory of 3692	4752	nfohQD	pFNZNq

C:\Users\Admin\AppData\Local\Temp\f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f746430b531e636a1c403f0d0724343a_JaffaCakes118.exe"
1⤵
- Deletes itself
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\SCDbUicnPEHskQmybW\nfohQD
  C:\Users\Admin\AppData\Local\Temp\SCDbUicnPEHskQmybW\nfohQD
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\jUdtDBLfpePPnksuDY\pFNZNq
    C:\Users\Admin\AppData\Local\Temp\jUdtDBLfpePPnksuDY\pFNZNq
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 256
      4⤵
      Program crash
      PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3692 -ip 3692
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SCDbUicnPEHskQmybW\nfohQD

Filesize
42KB

MD5
9dabbd84d79a0330f7635748177a2d93

SHA1
73a4e520d772e4260651cb20b61ba4cb9a29635a

SHA256
a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d

SHA512
020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314

Download Submit
memory/1564-4-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/3692-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3692-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3692-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3692-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4752-2-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/4752-9-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/4752-16-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/4752-7-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads