b9111ee02cd6b171651d55e935118081506268dd0db2aeb1824f95d77b053663

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe
Size

15.5MB
MD5

f1d69cd195beb7d91e890272a8bc9247
SHA1

dacb9583748fd83eb66fc543dbc3ae10d3b9d846
SHA256

b9111ee02cd6b171651d55e935118081506268dd0db2aeb1824f95d77b053663
SHA512

c2b06560c734ac84dbf10d252ee00af28ea5a18dceda7ddc5f30c013d73a1a163140e2ae2001ede8be12ab1e021f1ce8e64167ab85782607c10cb96c43368826
SSDEEP

393216:MgM2yfl6hJEgRtG38UFd3RScLBf2JZWLONpiNY2iVv+vBO:DyfYhJvRtG3pZRpLBOjWaORikBO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1032	IObitUninstaler.exe

Loads dropped DLL 19 IoCs

pid	Process
2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe
1308	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1308	1032	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1032	IObitUninstaler.exe
1032	IObitUninstaler.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1948	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1948	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1948	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1948	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	28
PID 1948 wrote to memory of 1760	1948	cmd.exe	30
PID 1948 wrote to memory of 1760	1948	cmd.exe	30
PID 1948 wrote to memory of 1760	1948	cmd.exe	30
PID 1948 wrote to memory of 1252	1948	cmd.exe	31
PID 1948 wrote to memory of 1252	1948	cmd.exe	31
PID 1948 wrote to memory of 1252	1948	cmd.exe	31
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 2372 wrote to memory of 1032	2372	f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe	32
PID 1032 wrote to memory of 1308	1032	IObitUninstaler.exe	33
PID 1032 wrote to memory of 1308	1032	IObitUninstaler.exe	33
PID 1032 wrote to memory of 1308	1032	IObitUninstaler.exe	33
PID 1032 wrote to memory of 1308	1032	IObitUninstaler.exe	33

C:\Users\Admin\AppData\Local\Temp\f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1d69cd195beb7d91e890272a8bc9247_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md "C:\Users\Admin\AppData\Roaming\IObit\IObit Uninstaller" & echo f|copy /y "C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\Main.ini" "C:\Users\Admin\AppData\Roaming\IObit\IObit Uninstaller"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo f"
    3⤵
    PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" copy /y "C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\Main.ini" "C:\Users\Admin\AppData\Roaming\IObit\IObit Uninstaller" "
    3⤵
    PID:1252
- C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\IObitUninstaler.exe
  "C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\IObitUninstaler.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 440
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\Main.ini

Filesize
406B

MD5
03423c003a375b17b9ae3c8911290e7d

SHA1
6429258cf8572513b0071af825a1d04150ca4c30

SHA256
f30f73971b5f8038bff3376429f82586794cf7d8e654326d50fc25563d63a729

SHA512
32f52eb55a64df412c883abf2547db5aa00ca61cbffa03097ece00b59bbe8786e3c407cb80958a33081fe9e31fe3d5dfef028e5e4683be294306c4b2f5767f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\ProductNews2.dll

Filesize
2.2MB

MD5
eef6fa67018f475aedc2265503c82ee8

SHA1
74620336d57b55c5aaa65809fc466bdd8d91f93b

SHA256
65b842695dbdaaf15610fe7bbe3778c3bcbd6b98cbef6210bf584b32ededefde

SHA512
1282e1c3a64a103d050caa779151ca7c879fb27caa94df8af616c29fc57955bbf3d71cadcf81997eb0a2253fd31da5330a6843719f529561648c5715510b56e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\madDisAsm_.bpl

Filesize
58KB

MD5
61d323161f2cbc187e6a36a12a0734fa

SHA1
6f3b54a3860ed8cf5746516c86c4c75fcfc1e0ae

SHA256
fbb9b4f1944b82701c7c06971a24cfed09d6e7f4a0f1684eba49800e3396fe3a

SHA512
0f1f8e8fef47791e0e6a62b2b91aec7d014c98b0b576940d99a4a7f714747120927b96cc70fb7b25cfd43276db059b1a9e4b73b0d51c29b63eb8a40ee2afb63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\rtl120.bpl

Filesize
1.1MB

MD5
83ac415bcad54682d56dfee0066000e2

SHA1
916e00f9cfebe0bc1296d5b9e84b86d80548e800

SHA256
91ade0cbd518fd898f61b53d27f89c4ab64bc3dba22483a4b9b78d5826a333e4

SHA512
ca90a6026cb8265f23d7feb45b5caded216e87d72c4f2cc579e44c29ef7a213efbb54435551c0d1e44fe9979d54cbee91b1150eddb701ce89dec1555ec017703

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\vcl120.bpl

Filesize
1.9MB

MD5
9cef56e9868e96afabb1fcd8758931b8

SHA1
8e99aa4839e6e29a4213ca0309c6ea02a46442f7

SHA256
28fdac79c3e1656e4c60de4b6bc6dca390ef5b86f58d75e1f352bc964a4efdcb

SHA512
b296b74c637d7db8bc82d98e794c8f27afba5e061d06c6bcbbd806eee511dcd2414a7d8505af0b4d71c96dada57126c38f83f13552079fec3c2e4aa1a647074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUninstaller\vclx120.bpl

Filesize
217KB

MD5
ce332581d5bd58b3120754431e866f22

SHA1
8b0fdc55d1cdc430c3d9689d057c62ba3e5d5514

SHA256
4335551dc47bf65d3292ba6fa5d102565814ec36d904be83afedf11fcc17d060

SHA512
16e6d64c57dc5cb775cb8f27801e54d73a9892f06c32167602a92aab8f526acb1f44f005620d3a1ef1dc9aa2e1e227a0e55389653d17d3bb9df245f5a6c17f90

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\IObitUninstaler.exe

Filesize
6.4MB

MD5
63492e453072d431762dfa38706668fd

SHA1
bcff82fe4aada002b40160075c5ca4f0cfd43c44

SHA256
66fb8086a736233d828bedc0d4ec1ba815615daa88ff5a91029f9428c347979e

SHA512
9fae3fc3b1b2beb95638be5f4f528ed416f277ea2a15561cee4910591dafada25d60e0a017c2c731578b4a87d9235da979c6b61a0929dfe10f32ddbe80e7eb44

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\PluginHelper.dll

Filesize
127KB

MD5
f032d7def80c7f00c487ef10a37458b1

SHA1
0623e29fbe39c6ab399271361b16b192dbfe424e

SHA256
2f9a272f26292c1f6f8a7c7fda9d19c569d17ee83de293fd4d0ede396c6508c0

SHA512
33e469becf85ddf7630ecc3c3005c857aaefd1441ec5833fe77c63d52204de7f4b34065434d4d4eadd390c53789a870e1bb28d0d80d6dfa41211c7211cbd3d27

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\SysRest.dll

Filesize
80KB

MD5
72487650a4f664d46c2fcc3b24805a71

SHA1
3bf3e0f0727e0ca384587fa15e5a8fa45b0290c1

SHA256
cc3ccdcde466210ae0f8330e7030097f80d09a496076f0e002f2c1287aae6fd5

SHA512
4d74e10c32bfd8dfc5ab1244919d9cbb5ce4bac3883e855a914b4f94ed60413565b84bfc7e644f8efe1a34b4e8f52fcfb1056c8a86fe232d049339dee2676bda

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\forcedelctl.dll

Filesize
515KB

MD5
c67d549e450b9ba8bcfd7c799b359717

SHA1
d628e4041603dc719ca991533f914e1f91af58c6

SHA256
2e36d3553319b74c13716ff938be70327bd5326c0723a891042eb520fc1b8334

SHA512
19460432cf0f57d78fb83c062545c89c830ecfcc8330a8e17b829e7bd96b58e71b529b5d9849304a3c446e1d1c515619d779e65f5b12955db3ccdedb89ec33e3

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\madbasic_.bpl

Filesize
205KB

MD5
0470b3205faf06b0b807629c7462ea90

SHA1
b0b309ba97caca555c1c1edf90b7c777d0ee4deb

SHA256
50e8481906f27e92bb80f4b7139f90949b960b1b2898dd0f6875147f44d8ad20

SHA512
7aa09d6eca8fa7add3c9b81ba6196d3e2665ab93dffda3ac26a24e3b3745d8d1afb340ac41822979845701ed54459637ab2206c5597a2413a2af1d37f7c62f32

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\madexcept_.bpl

Filesize
431KB

MD5
73784c975e57ecc1afc35bd4c8f7d3bd

SHA1
f337fcf1cc19e9ebfda38ebbe798017592aca1e7

SHA256
27ab8d48e592498885477d4bb689844113490b6ef752443d33fa24fcb8891057

SHA512
8d6486e759faeb4cc9f1b01cc358bb0c903fba569b5819fe58a8f95d22d13c1403908fb3fda74a06e8a178de0c566af2a5dc562213ca0de00cb1032fda930417

Download Submit
\Users\Admin\AppData\Local\Temp\IObitUninstaller\sqlite3.dll

Filesize
677KB

MD5
b3d2c44cb44f323210dd99c701daf877

SHA1
3dde51bdb4addbfb14162dc51fc84b10335ce0ac

SHA256
19f3bfcbaed4d727209df368909afdde92ef1e12587d3ebf3a2c233eceb93ce2

SHA512
5eae44c8758e664d36179c682abf8c1e3adf4c88013f51e86df08114ac90cd0fde89b838019e19ec73f9b0c35b108c423053ecb2bf36324651865fbef9d6d904

Download Submit
memory/1032-180-0x0000000000CB0000-0x0000000000EEE000-memory.dmp

Filesize
2.2MB

Download
memory/1032-183-0x0000000000240000-0x00000000002C8000-memory.dmp

Filesize
544KB

Download
memory/1032-191-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/1032-192-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1032-193-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1032-194-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1032-195-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1032-196-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1032-197-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/1032-198-0x0000000061C00000-0x0000000061C9C000-memory.dmp

Filesize
624KB

Download
memory/1032-200-0x0000000000240000-0x00000000002C8000-memory.dmp

Filesize
544KB

Download
memory/1032-199-0x0000000000CB0000-0x0000000000EEE000-memory.dmp

Filesize
2.2MB

Download