Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 13:23

General

  • Target

    f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    f1278c614f4bcb17088e0194a3e15108

  • SHA1

    4f768d824d08520b5962c86b1b838c038e9806d2

  • SHA256

    e30cd3c2da289af8bf3fe377fa4872ceb13356378333eaabaa349f608b0fd545

  • SHA512

    8b3ec07f912e26a2a9588df61b94b00b040b69cc054200a965398f3bdb2818e9d3757c4b6c980ce654b76c4bc0b2410e8f4d31f8a430ff04504a1500fa07f854

  • SSDEEP

    24576:Qr1O0K4xZpO0FmzY8537teyxC8muUC1CMlTfacNHdduJ7S2pf5HBcNqvKM+gA9:oMO5VFx9juUmCyTfao/uJ7S2pf5SeKp

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 40 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
      "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp" /SL4 $40156 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2152
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""
          4⤵
            PID:2612
          • C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp
            _RegDLL.tmp 552 544
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:2544
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
        2⤵
        • Deletes itself
        PID:1704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\WindowController\del_bat.cmd

      Filesize

      244B

      MD5

      569c447b88ee6ee87a0d575fc064c735

      SHA1

      c6d4a65b6ae7cd71d3d147de18623ea608fab20a

      SHA256

      ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c

      SHA512

      1ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5

    • C:\Program Files\WindowController\windowcontroller_v1.dll

      Filesize

      425KB

      MD5

      42fa974b082ae577576fe5d4116b0ea7

      SHA1

      f374a519c41c73e5e40f281d25ec91325ff8c103

      SHA256

      b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45

      SHA512

      60c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48

    • C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

      Filesize

      285B

      MD5

      3670ebb3297f13962c71489c50e5fc4a

      SHA1

      9b58125817e1ed3fafd54c89dcd8880b45e8d27f

      SHA256

      5a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0

      SHA512

      99c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714

    • \Program Files (x86)\WindowController\WindowController_setup_06.exe

      Filesize

      1.4MB

      MD5

      5f47cf5504f99f7a6a20ea11e393ed75

      SHA1

      081ba58a5a211efa949b6536b477b9f211f1a0ea

      SHA256

      a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b

      SHA512

      4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2

    • \Program Files\WindowController\sqlite3.dll

      Filesize

      274KB

      MD5

      89f0fd81f69f1a20ba0951d8694b4437

      SHA1

      f3c56f20cf8a6f6dd210b287b6a22210d252ec6b

      SHA256

      c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a

      SHA512

      51f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd

    • \Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp

      Filesize

      656KB

      MD5

      4fa180886ff7c0fd86a65f760ede6318

      SHA1

      2c89c271c71531362e84ddab5d3028f0756a9281

      SHA256

      1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

      SHA512

      a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

    • \Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp

      Filesize

      3KB

      MD5

      c594b792b9c556ea62a30de541d2fb03

      SHA1

      69e0207515e913243b94c2d3a116d232ff79af5f

      SHA256

      5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e

      SHA512

      387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

    • \Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_shfoldr.dll

      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    • memory/1964-16-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/1964-62-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/2152-61-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

    • memory/2544-55-0x0000000001F70000-0x000000000209C000-memory.dmp

      Filesize

      1.2MB