Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
WindowController_setup_06.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
WindowController_setup_06.exe
Resource
win10v2004-20240412-en
General
-
Target
WindowController_setup_06.exe
-
Size
1.4MB
-
MD5
5f47cf5504f99f7a6a20ea11e393ed75
-
SHA1
081ba58a5a211efa949b6536b477b9f211f1a0ea
-
SHA256
a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b
-
SHA512
4c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2
-
SSDEEP
24576:+fOy4I4oZ+OTFmmYf52bLIPCUtSyxVqVuR5LnMlyFarOHd4uyIg2df5HejNPvNa2:+GThaFw52P4kMouR1nyyFaaCuyIg2dfE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1684 is-FTFOF.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1684 2156 WindowController_setup_06.exe 87 PID 2156 wrote to memory of 1684 2156 WindowController_setup_06.exe 87 PID 2156 wrote to memory of 1684 2156 WindowController_setup_06.exe 87 PID 1684 wrote to memory of 4400 1684 is-FTFOF.tmp 90 PID 1684 wrote to memory of 4400 1684 is-FTFOF.tmp 90 PID 1684 wrote to memory of 4400 1684 is-FTFOF.tmp 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp"C:\Users\Admin\AppData\Local\Temp\is-IKHLJ.tmp\is-FTFOF.tmp" /SL4 $8016E "C:\Users\Admin\AppData\Local\Temp\WindowController_setup_06.exe" 1217223 522242⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""3⤵PID:4400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD557d7419e37e725840c910cb21ccf0adb
SHA1b2a7b23acc8039311994933add224e72ee08a4a4
SHA2567adfe3d985257c921c924fca6fc84cec6b79b2bb676d4e1b603582afec778fac
SHA512e4f0c3c5f2702baa8a3954eadca2e1c380b7bc0b1d642659d8bc03467f0f17be05ff5f6f9b96094a66b3fc7a0552277cea1e5c5a31ae073344ae2344fe9321fc
-
Filesize
656KB
MD54fa180886ff7c0fd86a65f760ede6318
SHA12c89c271c71531362e84ddab5d3028f0756a9281
SHA2561d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd