0467e64ab69d9df9e713f57f2377fa2402521073d1d37a0ff03898d7e2afedda

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 06:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe
Size

1.9MB
MD5

625d58445aa3599cafebaecfc42ff953
SHA1

8763e4fc6e23f19c0cb21464edfad9fde2dce433
SHA256

0467e64ab69d9df9e713f57f2377fa2402521073d1d37a0ff03898d7e2afedda
SHA512

d28a62b27290fb6cdfd2f00b1635311e8d1bbeecdb70434332eb18713a5cf37967a2404ab151da9dc20ffbf7f5c69be1e61242b1d21a68506b9d8370d64538b8
SSDEEP

49152:2nzniUKUbgUJfs+0ZSHN3C5yg9DeNnt28vv0i1csQ+DMfkW:2nT/FJfsJSH5CdDcl0iqsDDhW

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000018bab-125.dat	acprotect
behavioral1/memory/2860-127-0x0000000074220000-0x000000007422A000-memory.dmp	acprotect
behavioral1/files/0x0006000000018ed8-166.dat	acprotect
behavioral1/memory/2860-281-0x0000000074220000-0x000000007422A000-memory.dmp	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2996	itinstallerp.exe
2860	31a1Installer.exe

Loads dropped DLL 41 IoCs

pid	Process
1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe
1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe
1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe
2996	itinstallerp.exe
2996	itinstallerp.exe
2996	itinstallerp.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe
2860	31a1Installer.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015c6b-12.dat	upx
behavioral1/memory/1932-14-0x0000000000440000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2996-23-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/files/0x0006000000018bab-125.dat	upx
behavioral1/memory/2860-127-0x0000000074220000-0x000000007422A000-memory.dmp	upx
behavioral1/files/0x0006000000018ed8-166.dat	upx
behavioral1/memory/2996-280-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2860-281-0x0000000074220000-0x000000007422A000-memory.dmp	upx
behavioral1/memory/2996-282-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-289-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-291-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-293-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-295-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-297-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-299-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-301-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-303-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-305-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-307-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-309-0x0000000000870000-0x00000000008D2000-memory.dmp	upx
behavioral1/memory/2996-311-0x0000000000870000-0x00000000008D2000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000015c52-42.dat	nsis_installer_1
behavioral1/files/0x0009000000015c52-42.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2860	31a1Installer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2996	1932	625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe	28
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29
PID 2996 wrote to memory of 2860	2996	itinstallerp.exe	29

C:\Users\Admin\AppData\Local\Temp\625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\625d58445aa3599cafebaecfc42ff953_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\itinstallerp.exe
  C:\Users\Admin\AppData\Local\Temp\itinstallerp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\temp\31a1Installer.exe
    "C:\Users\Admin\AppData\Local\temp\31a1Installer.exe" /KEYWORD=31a1 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd123A.tmp\ToolkitOffers.dll

Filesize
289KB

MD5
21ace3cf64828557817cb17f55e4dfd1

SHA1
46574d7a5483db8476bd607340cc441a326dcf14

SHA256
2d1becb94d82d890662ffd0cd99b6004e31a4633bba8e950f79610907761e7ab

SHA512
1f8b8c077ac814c4570794b7e324fd2125a187934d4ce59886e2940141e93aff020cf3cfdeb9dbc5f0a62d76f502af6018f05659d285a87a3dfddb1b77a37ef2

Download Submit
C:\Users\Admin\AppData\Local\temp\31a1fondo.bmp

Filesize
206KB

MD5
2be9decc105c494cbdbac72ec8666966

SHA1
e291c2746210701a1679da76ac646d10cb28e2db

SHA256
714c04d6e0c30dad752d1d1554d759f97ed467f83e5d3f72ddf73b048efb6090

SHA512
c36e94260090cd27e9fbd972e3a7b59b66bdee68b7cfbad2a53f0c5d8a089b2f279722b9ce0ccb02cc61dc4bf5c9661dc6c8adabca212ce89671dee9a00aabb3

Download Submit
C:\Users\Admin\AppData\Local\temp\31a1header.bmp

Filesize
25KB

MD5
f3d90afbf6ff938e854a079370e8c859

SHA1
3648b3cad35e6c05a4b0499658d655fa30225af7

SHA256
1bc16f1153eda302a5bb24f00734c6d89090e5c2a06fea603334c34d6a2b6b00

SHA512
3c7f16613e3e9858b272c30a82bdd166fb5b09e9264e2a75337816d9cf48aefd7731116fb1bd9fe4a49861a535ecf43fec84bb19a579c21b0e6d6d28a673efee

Download Submit
C:\Users\Admin\AppData\Local\temp\31a1installer.ini

Filesize
360B

MD5
1ec1608feb5ee9b6effca03efc2605cf

SHA1
a4bcd141ac78f383ea7d907845c4ed71d653315d

SHA256
59368e6d99c8de54cbf7ddbdb1e3be31ab81d4548c390b588ddacbcaf324ae9a

SHA512
28fe01ac58ae759befab41536c825fb35505cdba67a1ab5fbb76e3964510c33952e30d409b1d32b64644642b32a9b66ad625cf2df38c7f83c3a3da10f549bbb8

Download Submit
\Users\Admin\AppData\Local\Temp\31a1Installer.exe

Filesize
1.6MB

MD5
2b36c3c492fd485ace487d2455177eba

SHA1
59fd0591acfa9d016d86463fc6a509ac67ec3ebc

SHA256
7c4d4f2435bf47c07ac935d3b790137e554d3aceeed7f3cc498b6e216a1cab3d

SHA512
f18ae0c200f61642d32d6460448d416cab62e821b4644d0e25892ab553c6c92182ed0bc396a61895f048e23fd3170c9d693a67acaf9da9088db00cac34228635

Download Submit
\Users\Admin\AppData\Local\Temp\itinstallerp.exe

Filesize
2.3MB

MD5
aa14e33d23f2ce17cd0f076728ffda5a

SHA1
a96fc321742e43df49d773e8aa70410aba2823b8

SHA256
10c32434511642ed732b342c58676916fb6fc3f91c087ac624a7281ba69f9acb

SHA512
f42cd38be3c544c5085387e61742118d683c01660f0fcf846d58a35df119c6aac23408e414f0d7f913c429360a27fddefdfe050de54ee0689cef5fa448f93fe9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd123A.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
\Users\Admin\AppData\Local\Temp\nsd123A.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
\Users\Admin\AppData\Local\Temp\nsd123A.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd123A.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdEE0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdEE0.tmp\tkDecript.dll

Filesize
211KB

MD5
5d4fdeb847b1f481637406fd119f479a

SHA1
8bbbea0eb0d88eeaf928deeffd5490f13d6b023d

SHA256
c57314886b8ce4c6376c8cff506daebf931731aa899782d9e84364a97eff78c3

SHA512
31b54ed2dd60f011b54a4d7356bf7c5eb87e6fc73e49fdc05443e09aa704fb7ae9305be540f2ff8205f1942e2fab35daff9d9083d11893da8db492772c07870e

Download Submit
memory/1932-14-0x0000000000440000-0x00000000004A2000-memory.dmp

Filesize
392KB

Download
memory/2860-127-0x0000000074220000-0x000000007422A000-memory.dmp

Filesize
40KB

Download
memory/2860-286-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-258-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-257-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-256-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-183-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-168-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-210-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-287-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-281-0x0000000074220000-0x000000007422A000-memory.dmp

Filesize
40KB

Download
memory/2860-288-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-285-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2860-284-0x0000000001F10000-0x0000000001F1C000-memory.dmp

Filesize
48KB

Download
memory/2996-23-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-297-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-280-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-289-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-291-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-293-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-295-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-282-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-299-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-301-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-303-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-305-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-307-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-309-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/2996-311-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download