01bfc80c31f61f080f520341756270d62abde4dd8a8a626d57cd1d88ef456805

Analysis

max time kernel
146s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
Size

177KB
MD5

270e39909b8fb1d06bb44811f9a1aa05
SHA1

c0a7a7129e04f0594781d5f0a5a209e301af94b7
SHA256

01bfc80c31f61f080f520341756270d62abde4dd8a8a626d57cd1d88ef456805
SHA512

c99c68b34dead08adec21946232dd8cc3cfdcf514e3fa60c69fd048cb96bb9658dab61202091f35e2142ef90b44b99ab630a7bf3dcae1b386d75a35a09c9d128
SSDEEP

3072:mR6mbYMxVjoLrg/TGi8BfWXoZyVTmMos7BTqpSkKBmDkYBYm/1PW2/ePln:qrGk6i8BfioZyVTm4dWpSk0mvYm9PJ+

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2684	winlogn.exe
2220	winlogn.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
2996	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogn.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winlogn.exe"	winlogn.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	winlogn.exe
File opened (read-only)	\??\Y:	winlogn.exe
File opened (read-only)	\??\Z:	winlogn.exe
File opened (read-only)	\??\G:	winlogn.exe
File opened (read-only)	\??\K:	winlogn.exe
File opened (read-only)	\??\Q:	winlogn.exe
File opened (read-only)	\??\P:	winlogn.exe
File opened (read-only)	\??\S:	winlogn.exe
File opened (read-only)	\??\U:	winlogn.exe
File opened (read-only)	\??\V:	winlogn.exe
File opened (read-only)	\??\E:	winlogn.exe
File opened (read-only)	\??\J:	winlogn.exe
File opened (read-only)	\??\L:	winlogn.exe
File opened (read-only)	\??\M:	winlogn.exe
File opened (read-only)	\??\N:	winlogn.exe
File opened (read-only)	\??\R:	winlogn.exe
File opened (read-only)	\??\T:	winlogn.exe
File opened (read-only)	\??\W:	winlogn.exe
File opened (read-only)	\??\H:	winlogn.exe
File opened (read-only)	\??\I:	winlogn.exe
File opened (read-only)	\??\X:	winlogn.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2684 set thread context of 2220	2684	winlogn.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
2684	winlogn.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2664 wrote to memory of 2996	2664	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	30
PID 2996 wrote to memory of 2684	2996	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2684	2996	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2684	2996	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	31
PID 2996 wrote to memory of 2684	2996	270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32
PID 2684 wrote to memory of 2220	2684	winlogn.exe	32

C:\Users\Admin\AppData\Local\Temp\270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\270e39909b8fb1d06bb44811f9a1aa05_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Roaming\Microsoft\winlogn.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\winlogn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\winlogn.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\winlogn.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\winlogn.exe

Filesize
177KB

MD5
270e39909b8fb1d06bb44811f9a1aa05

SHA1
c0a7a7129e04f0594781d5f0a5a209e301af94b7

SHA256
01bfc80c31f61f080f520341756270d62abde4dd8a8a626d57cd1d88ef456805

SHA512
c99c68b34dead08adec21946232dd8cc3cfdcf514e3fa60c69fd048cb96bb9658dab61202091f35e2142ef90b44b99ab630a7bf3dcae1b386d75a35a09c9d128

Download Submit
memory/2220-22-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2220-23-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2220-24-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2996-2-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2996-3-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2996-4-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2996-5-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download
memory/2996-18-0x0000000011490000-0x00000000114BA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads