Analysis

  • max time kernel
    93s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2024 13:23

General

  • Target

    f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    f1278c614f4bcb17088e0194a3e15108

  • SHA1

    4f768d824d08520b5962c86b1b838c038e9806d2

  • SHA256

    e30cd3c2da289af8bf3fe377fa4872ceb13356378333eaabaa349f608b0fd545

  • SHA512

    8b3ec07f912e26a2a9588df61b94b00b040b69cc054200a965398f3bdb2818e9d3757c4b6c980ce654b76c4bc0b2410e8f4d31f8a430ff04504a1500fa07f854

  • SSDEEP

    24576:Qr1O0K4xZpO0FmzY8537teyxC8muUC1CMlTfacNHdduJ7S2pf5HBcNqvKM+gA9:oMO5VFx9juUmCyTfao/uJ7S2pf5SeKp

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 40 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Program Files (x86)\WindowController\WindowController_setup_06.exe
      "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp" /SL4 $401D8 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""
          4⤵
            PID:5000
          • C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp
            _RegDLL.tmp 1212 1116
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:1296
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
        2⤵
          PID:1376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\WindowController\WindowController_setup_06.exe

        Filesize

        1.4MB

        MD5

        5f47cf5504f99f7a6a20ea11e393ed75

        SHA1

        081ba58a5a211efa949b6536b477b9f211f1a0ea

        SHA256

        a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b

        SHA512

        4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2

      • C:\Program Files (x86)\WindowController\del_bat.cmd

        Filesize

        244B

        MD5

        569c447b88ee6ee87a0d575fc064c735

        SHA1

        c6d4a65b6ae7cd71d3d147de18623ea608fab20a

        SHA256

        ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c

        SHA512

        1ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5

      • C:\Program Files\WindowController\sqlite3.dll

        Filesize

        274KB

        MD5

        89f0fd81f69f1a20ba0951d8694b4437

        SHA1

        f3c56f20cf8a6f6dd210b287b6a22210d252ec6b

        SHA256

        c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a

        SHA512

        51f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd

      • C:\Program Files\WindowController\windowcontroller_v1.dll

        Filesize

        425KB

        MD5

        42fa974b082ae577576fe5d4116b0ea7

        SHA1

        f374a519c41c73e5e40f281d25ec91325ff8c103

        SHA256

        b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45

        SHA512

        60c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48

      • C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

        Filesize

        285B

        MD5

        3670ebb3297f13962c71489c50e5fc4a

        SHA1

        9b58125817e1ed3fafd54c89dcd8880b45e8d27f

        SHA256

        5a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0

        SHA512

        99c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714

      • C:\Users\Admin\AppData\Local\Temp\is-ER242.tmp\is-L14T7.tmp

        Filesize

        656KB

        MD5

        4fa180886ff7c0fd86a65f760ede6318

        SHA1

        2c89c271c71531362e84ddab5d3028f0756a9281

        SHA256

        1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

        SHA512

        a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

      • C:\Users\Admin\AppData\Local\Temp\is-QM2F2.tmp\_isetup\_RegDLL.tmp

        Filesize

        3KB

        MD5

        c594b792b9c556ea62a30de541d2fb03

        SHA1

        69e0207515e913243b94c2d3a116d232ff79af5f

        SHA256

        5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e

        SHA512

        387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

      • memory/932-17-0x0000000000590000-0x0000000000591000-memory.dmp

        Filesize

        4KB

      • memory/932-51-0x0000000000400000-0x00000000004B3000-memory.dmp

        Filesize

        716KB

      • memory/1296-43-0x00000000021D0000-0x00000000022FC000-memory.dmp

        Filesize

        1.2MB

      • memory/1296-47-0x0000000060900000-0x000000006096F000-memory.dmp

        Filesize

        444KB

      • memory/1296-45-0x00000000021D0000-0x00000000022FC000-memory.dmp

        Filesize

        1.2MB

      • memory/3032-6-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB

      • memory/3032-52-0x0000000000400000-0x0000000000413000-memory.dmp

        Filesize

        76KB