87e32fbf107d14d6e5b38c8bae7a1447ce91d3250215acef8027ef243fa6920d

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe
Size

73KB
MD5

2c38c2982a800b915b28ccccad32164a
SHA1

4de680f3141761cd458c04602aac3918e1896d4d
SHA256

87e32fbf107d14d6e5b38c8bae7a1447ce91d3250215acef8027ef243fa6920d
SHA512

32a06ae5da0cd4dd9378666ab7b6e9500011e95d32164cfc9a95877183cbe78784ed263d3861b7d834f6b14b9afa3f76df2efd1ec95b4746dda675e01801e773
SSDEEP

1536:KCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzR0X:KCaZ2Yrb0VTXJYWEsCGuie

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2732	MSNGamesSetup.exe
1668	InstGameInfoHelperMSN.exe

Loads dropped DLL 6 IoCs

pid	Process
2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe
2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe
2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe
2732	MSNGamesSetup.exe
2732	MSNGamesSetup.exe
2732	MSNGamesSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015653-12.dat	nsis_installer_1
behavioral1/files/0x0007000000015653-12.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	MSNGamesSetup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2732	2848	2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe	28
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29
PID 2732 wrote to memory of 1668	2732	MSNGamesSetup.exe	29

C:\Users\Admin\AppData\Local\Temp\2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c38c2982a800b915b28ccccad32164a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\nst18B0.tmp\MSNGamesSetup.exe
  C:\Users\Admin\AppData\Local\Temp\nst18B0.tmp\MSNGamesSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\InstGameInfoHelperMSN.exe
    "C:\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\InstGameInfoHelperMSN.exe"
    3⤵
    - Executes dropped EXE
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst18B0.tmp\ftdownload.dat

Filesize
512B

MD5
433030c5cbb375e16cc885014191f07b

SHA1
485546229799b852d97fee65a5d899aaad757ed7

SHA256
1095affbecd87e6bc9a6a2d3ba7937a2d847480b24b2cc66458b3614beb6bed4

SHA512
c4506614047c741a2c8b039a878c7eeb387c9f136dd9be2847d1edee0848368517e18606110a5b1f225a2e937e7536420e9a68fd5bf7283e29efc41f40859091

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\InstGameInfoHelperMSN.exe

Filesize
455KB

MD5
0025cd88501fa44e826bc9ed4bdef2fb

SHA1
c1a5d54809ba50bea7c4cac90563eb50b1d973ab

SHA256
f26ccc52aee7f6949d33a8c5eae4829bf94ad338765b04b68214cb5f375d5d59

SHA512
96a78d4d84fa9aa74f7791d01534e9c18cabf31a73b2e6711d4152527e16265163f415b43f418112652f3642192a8409383098899f84cb762c4cf6ff2c8140fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\gametitle.txt

Filesize
19B

MD5
b95effb5cac0ebc1ea0c2e8e846e5045

SHA1
43eeed2f329347102b81baafc0cd9e62b5eae175

SHA256
3d99b189ef5a1f1fd58289b094ea89759b812efadf4cc86598cc5c207ad51859

SHA512
43c80d1713253a54b4d31a742c4afa5d0070a0f290498a71488d9d80156295438dd294496d21cb590f9ef95a1b99cf39073b026014b375d6b8d97e9b03674f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\tn_feat.bmp

Filesize
4KB

MD5
49cd2c57170a77dfa6639da258bdcce1

SHA1
fa49d2bbcccaa5219c96ecec6ef9833ebda3af2a

SHA256
6dd1f4b52d063661e6da75d17880d8e0c0d5d5febff44824f646ac92faa7dc63

SHA512
d5b2302f83f2cf7c7f45c38508ccf2ca7762f6ce2feb50b48a5337bdb1592cff3ecd43bfd06da4c9e29d420bc319a7d5ab9555598365137d67ea4875868de4a0

Download Submit
\Users\Admin\AppData\Local\Temp\nst18B0.tmp\MSNGamesSetup.exe

Filesize
45.6MB

MD5
7b3ec6d1800cddc1b195d98244e98e5a

SHA1
4f1f7318c220cfca2d8631dc3398c3242bf34115

SHA256
3cb4ae53e2756e00d016427ff3e27a488376e1ce81b5a2ce4e24520e7ca8000a

SHA512
d8ff6fee981cd039499ea2b78d2565a5418a867a40eea43310051ff90a5f2a7462cd3c63c87f9e539135d91bcea0bf2dd5ceb25256201f781c8f49c344d0fb93

Download Submit
\Users\Admin\AppData\Local\Temp\nst18B0.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\nst18B0.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst3E2A.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit