4e874858c3a7fa7a2ab0ea9a13076a858333a305d3ac291788eab24409904d73

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe
Size

85KB
MD5

5da8f366d2f7305682dd0ba5217858be
SHA1

f3dae57be5cf68eddb432873f6c1877cd795c7c9
SHA256

4e874858c3a7fa7a2ab0ea9a13076a858333a305d3ac291788eab24409904d73
SHA512

022c612509dbd982c1e535a0ef85a4969197a597924866ba849edd704ed4ed946d06b58bac2453dfc4b4ea2c55a8ffebc6dc7c8c232f4a1e09fedd64ad1d9f66
SSDEEP

1536:XCaIoX1oYOcbTMV88TXJLE7iwhKKS2gE2wGu3SzRKB:XCaZ2Yrb0VTXJY7iZKUE2wGuiMB

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2748	iWinGames.exe
1548	InstGameInfoHelper.exe

Loads dropped DLL 8 IoCs

pid	Process
2812	5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe
2812	5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe
2812	5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe
2748	iWinGames.exe
2748	iWinGames.exe
2748	iWinGames.exe
2748	iWinGames.exe
2748	iWinGames.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002342f-15.dat	nsis_installer_1
behavioral2/files/0x000700000002342f-15.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2748	2812	5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe	88
PID 2812 wrote to memory of 2748	2812	5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe	88
PID 2812 wrote to memory of 2748	2812	5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe	88
PID 2748 wrote to memory of 1548	2748	iWinGames.exe	89
PID 2748 wrote to memory of 1548	2748	iWinGames.exe	89
PID 2748 wrote to memory of 1548	2748	iWinGames.exe	89

C:\Users\Admin\AppData\Local\Temp\5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5da8f366d2f7305682dd0ba5217858be_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\iWinGames.exe
  C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\iWinGames.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\ftdownload.dat

Filesize
512B

MD5
4c48df095e9591de90abafaefcc9e8ef

SHA1
4b91cdc8836e189c42e3179c4e70124c3a02d903

SHA256
9323df4b1fdb04c4066ee8022a2308df99e64cfe59b6904556d4c599e4451295

SHA512
81a1cef8ff3c9fa77c8ff469117c14f5cd4f204854622c4a1e26406332b284c981e1df3b533d710d95ea382b5eebb8c911ab9e2c0d401d5d425f40fa6838cdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\iWinGames.exe

Filesize
4.4MB

MD5
9939c0274f24ae6d6e29dd5580fd88ac

SHA1
96c2a03086e3afd51430fa0f79026d7a961101ae

SHA256
991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471

SHA512
ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6458.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\BgImage.dll

Filesize
7KB

MD5
c430c0a7ef0ac8f80004de7f7898bced

SHA1
1f698e988bcc19d280a70c3283ff2816bb0db465

SHA256
dd4e24bcee7e9e952f1c7cda7532c0b851b87577e1b679380808f22d875c7c96

SHA512
3fa4fe59cadb580ab8b452ff7c2dd3802f8f6fe920dee15c81492c0c324ab991471de01fdb6f3ac07e336a90755243a1ef1de1bb5dd1c51cb70918e7192b46b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\InstGameInfoHelper.exe

Filesize
99KB

MD5
3d3d2bf9c42dbdf97247775c00f22190

SHA1
7a046170aaeb5e1a29d8c8cd7c32225f49237aa1

SHA256
59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a

SHA512
6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\gametitle.txt

Filesize
18B

MD5
f9b456362fdd5bb1db3a599d181000b7

SHA1
2b9194a1166916092f502275aaf368195c92f5b3

SHA256
b45f0941c2b29c15361534c1fa86db8652cbc27a40543c5c6f4d46d84b01b14a

SHA512
f059a3eae336a9dfd32034bb152104a0da9fcf0486de09f9703d996fba7790474e4b51d5172fd8490e05ec02ba134b4af123047720249efe9fe387251fe1fb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\nsExec.dll

Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\tn_feat.bmp

Filesize
4KB

MD5
f824e09fcdbc5343364292b30d71c070

SHA1
04fc3cbe911633e24fb943b8ca62fddb5d7afec0

SHA256
074d6b38fbd3ae36c7bc1e1105326f052fb77963b9a22dd34bcd6d45ef1b7fcf

SHA512
4f957b7770bf48682e1ce378f24119248be4f67019203dcb0023f6a85fab5b94002c9bbdaeca949a9d4d80d375dc6af2f8f3fe9d5fa9162b29dd5fa95e7cca91

Download Submit