Overview
overview
7Static
static
3f5c77ef216...18.exe
windows7-x64
7f5c77ef216...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3SpyOut.exe
windows7-x64
1SpyOut.exe
windows10-2004-x64
1SpyOutLaunch.exe
windows7-x64
3SpyOutLaunch.exe
windows10-2004-x64
7SpyOutUp.exe
windows7-x64
1SpyOutUp.exe
windows10-2004-x64
1uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:33
Static task
static1
Behavioral task
behavioral1
Sample
f5c77ef21662451265e0828c66274852_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f5c77ef21662451265e0828c66274852_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
SpyOut.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
SpyOut.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
SpyOutLaunch.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
SpyOutLaunch.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
SpyOutUp.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
SpyOutUp.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
uninst.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
uninst.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240412-en
General
-
Target
uninst.exe
-
Size
132KB
-
MD5
46841052d7e2a47af13f8845ea018484
-
SHA1
d6f5e38b803a2ffa654c681bd1244f77097769e3
-
SHA256
529830765e44fb8dabfb8fe92aa242005edc2ca83fbe13f4fc4d6cfa7d6b4a50
-
SHA512
0d68120e128caa6c47f11b318f452b7596600c9b6bf6741e761115e0be6f3010bc8fcf05a0b3c8ebba9d7919f87084d08f2a799f256812eab6026b6dd49be178
-
SSDEEP
1536:jQpQ5EP0ijnRTXJfiSFxYrZqa9WXkI8s3ofkP0r0eLuUeFEv8VeOF/B:jQIURTXJfiokZqa9+8qo6hUeFEv8v
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
Au_.exepid process 1200 Au_.exe -
Executes dropped EXE 1 IoCs
Processes:
Au_.exepid process 1200 Au_.exe -
Loads dropped DLL 7 IoCs
Processes:
uninst.exeAu_.exepid process 2412 uninst.exe 1200 Au_.exe 1200 Au_.exe 1200 Au_.exe 1200 Au_.exe 1200 Au_.exe 1200 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Au_.exepid process 1200 Au_.exe 1200 Au_.exe 1200 Au_.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Au_.exedescription pid process Token: SeRestorePrivilege 1200 Au_.exe Token: SeBackupPrivilege 1200 Au_.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SpyOut.exepid process 2592 SpyOut.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
uninst.exeAu_.exedescription pid process target process PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 2412 wrote to memory of 1200 2412 uninst.exe Au_.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe PID 1200 wrote to memory of 2592 1200 Au_.exe SpyOut.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SpyOut.exe"C:\Users\Admin\AppData\Local\Temp\SpyOut.exe" /uninstall3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy2ACA.tmp\KillProcDLL.dllFilesize
4KB
MD599f345cf51b6c3c317d20a81acb11012
SHA1b3d0355f527c536ea14a8ff51741c8739d66f727
SHA256c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93
SHA512937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef
-
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exeFilesize
132KB
MD546841052d7e2a47af13f8845ea018484
SHA1d6f5e38b803a2ffa654c681bd1244f77097769e3
SHA256529830765e44fb8dabfb8fe92aa242005edc2ca83fbe13f4fc4d6cfa7d6b4a50
SHA5120d68120e128caa6c47f11b318f452b7596600c9b6bf6741e761115e0be6f3010bc8fcf05a0b3c8ebba9d7919f87084d08f2a799f256812eab6026b6dd49be178
-
memory/1200-16-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/1200-25-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB