13035a99311927ff130b173866a2b200e5d143791f5ea2b98750d88ce234b44f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Size

347KB
MD5

32d2e28084e33ea8d3501a5127096002
SHA1

7235e8039bd8e5416e9b551dba44ed99c3ba56a2
SHA256

13035a99311927ff130b173866a2b200e5d143791f5ea2b98750d88ce234b44f
SHA512

d5b06b6b09a5566138f7149d5822c600e2402b8184dcce0922853784246c8200e113744dc78b9b34f46f3fd21b17dc942db3e4ec7c38d041f14f6cd4a4c1e66e
SSDEEP

6144:5Qq83TWIk8KtRAW7V72Q5m2B9ky7Lkx9DqXqSXFLdhzW9zGCozkV7fMQiO9UsQYS:VPHtRdV7lh9koQzDWqMLdxWoCozkdMQI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	nsissetup.exe

Loads dropped DLL 4 IoCs

pid	Process
1300	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
2936	nsissetup.exe
2936	nsissetup.exe
2936	nsissetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	nsissetup.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	nsissetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	nsissetup.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{012725FF-7CF5-4C6D-B4F9-73BDD2B81F48}\LocalServer32	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{012725FF-7CF5-4C6D-B4F9-73BDD2B81F48}	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{012725FF-7CF5-4C6D-B4F9-73BDD2B81F48}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\nsy2E23.tmp\\nsissetup.exe\" -- \"32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe\" 514 000001D4 000001D8 {012725FF-7CF5-4C6D-B4F9-73BDD2B81F48}"	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{012725FF-7CF5-4C6D-B4F9-73BDD2B81F48}\LocalServer32	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{012725FF-7CF5-4C6D-B4F9-73BDD2B81F48}	32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2936	nsissetup.exe
2936	nsissetup.exe

C:\Users\Admin\AppData\Local\Temp\32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
PID:1300

C:\Users\Admin\AppData\Local\Temp\nsy2E23.tmp\nsissetup.exe
"C:\Users\Admin\AppData\Local\Temp\nsy2E23.tmp\nsissetup.exe" -- "32d2e28084e33ea8d3501a5127096002_JaffaCakes118.exe" 514 000001D4 000001D8 {012725FF-7CF5-4C6D-B4F9-73BDD2B81F48} -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DLG\initWindow\noconnection.html

Filesize
2KB

MD5
a0ee32dc4ffc79fdef2dc0467da538c5

SHA1
15d78592ac2c313a52d3c22783aae9bb4c787182

SHA256
b4508b7dcc08b2b93cd64bee68bd5174fe48f48280e59f9a81d4861c3ef0431d

SHA512
e7c02d6211878466d1fb77d2d96a79615f3e85cc9579fb6f54001639902eaa106d734a9c7ef07278c5014e7dc8d28d7b2ee28f677f362d80dfd3d26e59a976e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2E23.tmp\nsissetup.exe

Filesize
439KB

MD5
c5b23c0e06fecfb46d9a6cdbe1840504

SHA1
577021fb4bbf53d484d7b932311ef22dd999af64

SHA256
115421eaff06dc2757ed3d5d7a273580f56737233464ae8316ba8cfaca1d3242

SHA512
2082637f296ddfb20fbec6eea6d67205b9127611546dc60f5721d4405a9ecb671871c836dae739d96bf01361540ca1d9e0c5eb857ef6b0beb01995d3f1e96278

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2E23.tmp\setup_plugin.dll

Filesize
13KB

MD5
dc43d79a451e9421fcb6ae1b240f7168

SHA1
0c442cc55a961ee7a5fbe0fd3f35be963627ef61

SHA256
305157c980f6e9ea88f1a797c9975a39e61629bfc5c7e8b91f179de93f218fde

SHA512
d7f18182dc0f2a4aff7b71fca354b435b613eff81eefea984f968302edd2ffaf621975d61499476df77c7b3253c5a1f9b5a6a9ba937056325be5e26de0aa9f2c

Download Submit