b29ad0aa376658bc8d2343aac56e35f9e7ffbdd1e6110aef19beaeb6a8a51b31

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe
Size

666KB
MD5

5b4d4e5e9cd2c1d4518e823c6f62f92b
SHA1

fda9f7d1e8305d3187137afd53dbddfb2b40d52f
SHA256

b29ad0aa376658bc8d2343aac56e35f9e7ffbdd1e6110aef19beaeb6a8a51b31
SHA512

8f322691cf46fb33c7754c9f9092daf94dca031c4a2c8fd565cbb269dd7e415a1643b25444e8ded4c39e08f1555bbfc464a880b31a2bceebd21e7044479b7ba6
SSDEEP

12288:q1H2Bws6vFhIExmyCDU99V78xLupdZYJfVL9N3kOiqhBK0wr9+Am1ID:qyuLay+W9sufZ+L9NUfq9G9ZmqD

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2072	Au_.exe
2708	kwuninsthelper.exe

Loads dropped DLL 23 IoCs

pid	Process
1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2072	Au_.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe
2708	kwuninsthelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 1088 wrote to memory of 2072	1088	5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2708	2072	Au_.exe	29
PID 2072 wrote to memory of 2708	2072	Au_.exe	29
PID 2072 wrote to memory of 2708	2072	Au_.exe	29
PID 2072 wrote to memory of 2708	2072	Au_.exe	29
PID 2072 wrote to memory of 2708	2072	Au_.exe	29
PID 2072 wrote to memory of 2708	2072	Au_.exe	29
PID 2072 wrote to memory of 2708	2072	Au_.exe	29

C:\Users\Admin\AppData\Local\Temp\5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b4d4e5e9cd2c1d4518e823c6f62f92b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\kwuninsthelper.exe
    "C:\Users\Admin\AppData\Local\Temp\kwuninsthelper.exe" /MTD="cG9zdA==" /DAT="TWlVd09UeFRVa002VFZWVFNVTmZPUzR3TGpRdU1GOUNRMU14Tlh4QlExUTZUbE5KVTE5VlRrbE9VMVI4VkZsUVJUcFNWVTVWVGxOVWZFTlZVa1JVT2pFNU9EWXlmRWxPVTFSRVZEcDhWVk02TVRrNE5qSjhWRU52ZFc1ME9qSTFPVE01TmpFMU0zeDdRWFZmTG1WNFpYMThWVHA4VFVGRE9rUTJPRFJCUXpaQk5UQTFPRDQ9" /RES="QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXGt1d29tc2dsb2cudHh0" /DST="aHR0cDovL2xvZy5rdXdvLmNuL211c2ljLnls"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kwuninsthelper.exe

Filesize
100KB

MD5
b759bbbb1af31b9fab3954360086f828

SHA1
f43c8195d0d8303a316218a4958b790c4f965818

SHA256
9cd242782f6c82b27396c2a1133df29cfb3498f64875e756c155dcd10a647426

SHA512
1914d5d0f780d33eccddb11b244387737c8fcc18deeeca3bed50e17510f0e5a7b8850afbe99dd3cd8037720af32e8c1599fd66ed4c2d77bdb74fcc5773dc42bc

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D7.tmp\Base64.dll

Filesize
70KB

MD5
850740258bc04a9a60266a206a56a576

SHA1
562efebbde3e3ae999081f217f50092f27ee19e5

SHA256
d905aea5493481703a0be6ec70815774edfbaa75cab9d1fcd9f0ec32594b0567

SHA512
da9c1e4b587ad35317810e2320ed62f1bbb353ea52477e9d466f20cad25bbe5b0bfa6746e2823d1f7d2255fdfbdd3356a67e029c5858f5823a791edd25a94bf0

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D7.tmp\inetc.dll

Filesize
55KB

MD5
43fa0a6cde7f17e914b5087e133cbaa9

SHA1
1bb3e4cc98e3b65722d21425d0358e2fe93b20e9

SHA256
46e26dc2255603778fd046493fae73130963c7fb365ca222105e8ea0328c485f

SHA512
b2e7921e18f12703df2e08ae6edb16823ea74278980b91019272c12c516498bb6db1e0d2b422f3af2aa3d492396423cc84fe8bf43b229e4745ca4592a149f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DE.tmp\KuWoNsis_new.dll

Filesize
296KB

MD5
37465ad07dca1c03e08d4c22f41a07ab

SHA1
20466d2936fcbaf85008b4ffe5e6bc37cada0af7

SHA256
0adaa9dfd9faefc20c996897afa4c97e68b93c5da5fdd8fd8c0e4818a7c16b86

SHA512
bbc16a01f2d83c05c6ca20feaa3f1fe9de06724313930589fc31dd81fa44853717ac35364a4881d5d09b8538695bc44a919bf180e047379e78921530af02b6dd

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DE.tmp\KwMusicNsis.dll

Filesize
419KB

MD5
06029e624f1d222e59ac641b2ce426b6

SHA1
6ba2875bee2eae79c0e1eaa8aa236038c8db6044

SHA256
09fb37e917faea5c966bc3418d1d7e46e3d0b9912cadd56486ba5bb5ac0f7b10

SHA512
516c04cfc31204879a0c938961208416ddd4ca7204606d630abe860c81422aa1316e45e29669ba01a7506af3f05284395c7c46524f2e73f36d3b4274203de70b

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DE.tmp\NSISArray.dll

Filesize
32KB

MD5
8b43a3f284632edfbb51665b2e0b8a3c

SHA1
af6ab111856be7af7212a82b052e8b5656159b35

SHA256
336e588999bf6b1cd6c894dbf5a73b2198d48c935f8b1251687845cce467dc67

SHA512
3a9add285d074db534937b193b92f8e0503c94c97b11f0abe5d9358342fbc57461ba1f559fa19e0522cfec914b8a007f11bec34abef17faaca5de8bda0dbaf94

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DE.tmp\System.dll

Filesize
11KB

MD5
7df8fb4196186f28cb308f9952d7ef64

SHA1
f20a7259ad233ac3795b6e6537de658209a8fd40

SHA256
72253837028abed272e5d50a3a6771933e9dd1aad73e90b8db4538aa9c786cbf

SHA512
3f373d69664ce015ceab16c12ba4c806c3489b89ae9db282551ec2452acd2ced1d70ddd4de0ef8c56d62a715624c9d2ceddc968adf07e905f2e4c81c2850ae4b

Download Submit
\Users\Admin\AppData\Local\Temp\nso11DE.tmp\nsDialogs.dll

Filesize
9KB

MD5
3ff6d8bfd6784eb4325102d9f76a0fe1

SHA1
1eedf67a5f3ea636bcb621402bb679d3e08c0414

SHA256
6da0ec15a4d3bbcfdd82d36838abcf8d57515d06049290801e5d71b4fd021dab

SHA512
dcc6c3ad393503c6527528d4fccc8b4faf25c6ff50a08c29247ab144f444d31590e3f7a581b2c955b0a109b552f0b7e3b4ae1849228d31a220d46eb5e1e2d26a

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
666KB

MD5
5b4d4e5e9cd2c1d4518e823c6f62f92b

SHA1
fda9f7d1e8305d3187137afd53dbddfb2b40d52f

SHA256
b29ad0aa376658bc8d2343aac56e35f9e7ffbdd1e6110aef19beaeb6a8a51b31

SHA512
8f322691cf46fb33c7754c9f9092daf94dca031c4a2c8fd565cbb269dd7e415a1643b25444e8ded4c39e08f1555bbfc464a880b31a2bceebd21e7044479b7ba6

Download Submit
memory/2072-30-0x0000000002B30000-0x0000000002B7C000-memory.dmp

Filesize
304KB

Download