df5b4f8f0a459bb640a2a42028d9c9afd048d136ae98583d4040b01b07260167

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658f78184be7051163d1b46cec615012_JaffaCakes118.exe
Size

16.9MB
MD5

658f78184be7051163d1b46cec615012
SHA1

ed7a15e0e7e6d6f1317ae30cb93a670a0072cf4f
SHA256

df5b4f8f0a459bb640a2a42028d9c9afd048d136ae98583d4040b01b07260167
SHA512

62545703ac72397dd98c4ced912f2379c398b9a48e2d78751df92e540e5b8ee4755c21c60ce767177b4078fdf199d0483c2ac4be90584546f7433304feb1b62e
SSDEEP

393216:GJ/oIL+cnAWGVuL4VmxXT5/WvTymGW2yoepd4Whbr:G+I6cAxoL4VmXuGmG4dWA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

stext.exe

pid process

2288 stext.exe

pid	process
2288	stext.exe

Loads dropped DLL 9 IoCs

Processes:

658f78184be7051163d1b46cec615012_JaffaCakes118.exe

pid	process
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1518.001

Processes:

658f78184be7051163d1b46cec615012_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AhnLab\V3IS80	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	658f78184be7051163d1b46cec615012_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	658f78184be7051163d1b46cec615012_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

stext.exe

pid process

2288 stext.exe
2288 stext.exe

pid	process
2288	stext.exe
2288	stext.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

658f78184be7051163d1b46cec615012_JaffaCakes118.exe

description	pid	process	target process
PID 5032 wrote to memory of 2288	5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe	stext.exe
PID 5032 wrote to memory of 2288	5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe	stext.exe
PID 5032 wrote to memory of 2288	5032	658f78184be7051163d1b46cec615012_JaffaCakes118.exe	stext.exe

C:\Users\Admin\AppData\Local\Temp\658f78184be7051163d1b46cec615012_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\658f78184be7051163d1b46cec615012_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\stext.exe
"C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\stext.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\EstUrl.dll
Filesize
181KB

MD5
2c5e13287d27b526c01aace7ea92be9e

SHA1
3b7895f3e3f9dfa9797d2cf04ad7d3d5548210e6

SHA256
986ea6d67ded7e67cefe739902194751643982293154ba496d4b5076e0df38e4

SHA512
51702649d7ccdfd90a1b7d06699d0791ed60fa2419013deda826cfbfac57231fb06000d1e8a3bf866459ad8597393cdf95e559f575dc51c236c3205c69bc36b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\System.dll
Filesize
10KB

MD5
b666f31c4c24be1d4d47cfb55dd35f96

SHA1
fee917ead511a6c14538c72539fa740edc7d82c5

SHA256
07aefeeea75705edcc3a21ac7dc4b5b837c234c041b725c245b50a73ffabb78a

SHA512
6dd69a085b6b2a2671ec6545bae27a72151457ccd76c3bc43a4544f4910fd8791251fb08c2f068d54dd91a6093bed50a80afb68875a9ddf29ae43c42a7337bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\UserInfo.dll
Filesize
3KB

MD5
6717338e4e0f6283ded89d771c849260

SHA1
aa7dcc18d6bf3b2fb0e74466fb2a5d60cc8aa60c

SHA256
2d0f153a0a09bb6217cccf3d015100f80216e717bbb9e00eb2482a0964a9c361

SHA512
5e3e8c1ce87edf8bfb2556dd5672e1c1e9e37e629fc013167a93fded04e65b79c9b6b192b252daffe45c6d03480f825e1fbf998064edd2771cbce925d85d2280

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\nsWeb2.dll
Filesize
197KB

MD5
d8113c015116547827b0cdc4869c244a

SHA1
82392f5483c6c175b3955cdf39aa87d550266ecc

SHA256
b7baa631014fbda8fdce67c8b660de8507aaee9b8c572d21746b3078341d3885

SHA512
907c61006a58dcafa812f03fa08b58814950f66e9019bfcc12eefc59b0f7ab2ddee040e2ab162b7e09c3f47cdc71c914307a6fe7b89e11033edea7131fc2f563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\banner.bmp
Filesize
174KB

MD5
94715ab02d666f0b19590030e1bd4f8a

SHA1
887f618c0ac49ce0209a0e54f6ae97ac501764df

SHA256
d1b6bbc5aafc9d3d578d7644d28223a64f6c74b31503e260a76037b7d4bf3ccf

SHA512
d6155ea4b62299ed8dd941cd9454aa437a28a6e73e1b4846e18f80fa259ab2a9f819bcd0a8e1cc99ed0e2ae2d8ab921dd041018a08c70bf8a2be44ec0a9442ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\estci_l.bmp
Filesize
3KB

MD5
7df755f1fd4936268507acba151bdbfb

SHA1
88244f9f5b1188ddb7cba16668904ea7c8c8c847

SHA256
129e7c9241e303ee196cda84fb67ccbd58de350497af64140189189f0e46c598

SHA512
2c64e8a7414582c36f3a793c82b64864e0f56c6a8bac5f7bd2ce16b0692c25751383d640749926d075608b8a8827d272a6e6a5d74cb4e89e341f24994d85bf6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\input.ini
Filesize
3KB

MD5
8f591378d4bf7182cb861d3e413393db

SHA1
08f0d64393778e376389f6afa8de0639dfd75137

SHA256
f42debafb1c5613a8c98c537deec0e365009e67ad7874c732d4be50dc80775c5

SHA512
bb7da5177e22e9d6299de6def273bd5dc025ada699a063cc855d38f3445884400c04ae197547e82875a2f22f257f924be1e87c3fba7e4c9a6c3fbc88d635ef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\input.ini
Filesize
567B

MD5
352b79de089d318ac765e1e2d8098309

SHA1
f2707465539288fed814eae16770ae3165ea91e6

SHA256
f42faa6c2c1a2caefb6f1a3ab30fa7e4682b530ee551d7a4e9c764d1935f0d2c

SHA512
61195dee88cbe56ba7ce119fe20c66657712873c507e0a5004752b5bf389e6c5619b1b5f5396c7aeca73a9ca674045f12315d9a23f83930153f36b1896329c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\input.ini
Filesize
1KB

MD5
9fc65ed9b369aa8d7a1c7e3556b3cd79

SHA1
c04ada95c73d3b8d5ea2e136930bcc5de06e246d

SHA256
130d995b9e8de8ffc212d5ec4cb441e1a35d890c139dd9014825978c9137073a

SHA512
d70d12e369f70077aefab5167768cd1d734c02b2a9df30dd078d94b4aade1f5dbb4c67f78a9272466cd03803885425b21feaf74ff1798b516110282d652d8397

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\instro_title.bmp
Filesize
5KB

MD5
e7ee760c7197832923d16e7066b47814

SHA1
48f9ca2f31ebcbd638c7fab602b2ac1094acdf0c

SHA256
79ee8e2762f9edbc0eb76ed6f3fc0cd05ceb8a776d0684c71d44b8abb39d8e40

SHA512
5f4b79eeaa755ecb184d7b6ea4a4e568435c8a95ea721673c553c59a5208aad7cf8eeadb0cb934f8308caba6e66090046bdbe83b90f67d3d2025445618ff8518

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\intro_icon.bmp
Filesize
25KB

MD5
e7dbe79c26db8f4b4be7bcfc37c13298

SHA1
82150b4c51b51da27360de54e450aa58a4d6ee68

SHA256
37752f12c27eff16f03226a4df11fafc50d94be94040e1317f81f3820b43c3ee

SHA512
7c4a89fb4c4fcc0dcc83228eb6cb70e282b7c1baeef7f70f527fcebee49bcb8e6e741d8b3e057fbf604e014d1a79daeee587e6f0e12d403ab8af10b6ece761d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\lic.rtf
Filesize
21KB

MD5
f4bb786568837e88014b62e81b7ec6a3

SHA1
358e4979622bc4d2ce30cf8ead5a80b97f3c740e

SHA256
62849fefefecfaed616192c691481f1c3844c36eb25baafa5a9c312d223b1c28

SHA512
79d91bb49ecfb522eaf660cdeae6c6c7618444f69520a71439a898aded1471ef28b3ffaeef18bfc9f83da9dfbd0037a8b00ed98090b3eae910c870953442b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\stext\stext.exe
Filesize
645KB

MD5
6284606ed3cde0677eed03e9a9e7f063

SHA1
e59a99dd2d51fd491adab51a9f08b75bce82c3b2

SHA256
3e4e33e0a0b65e5546604fbcd83014fc3d467eb16a3d9cab0e53284ceb9616a9

SHA512
c535b8e690e47f11609f84ac494dbb301828f367e0a914263463d29d412c1cdba422767b9f3aacae272e63cebbd22b707577d0de9d566bd96163fac633371b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp470D.tmD\workerExtension.dll
Filesize
549KB

MD5
e22882c6a4f464b95f0137dafedf18be

SHA1
11e845fb4d6c56c63814346c854e89b9138b2fac

SHA256
31c46010d24673fcbfcc0f17dceb5fd72520fc92b6a43ae987e35786a50961f6

SHA512
d9bc60317c64679f7e95142b10e154be014912aed551abdb871f94b5d14ac3c918b54b281b5f4fb2f00c1761c089ac56e2df8f99ddfb096a9af4a28d1cfdbdb0

Download Submit
memory/5032-45-0x0000000003CE0000-0x0000000003D10000-memory.dmp

Filesize
192KB

Download
memory/5032-21-0x00000000031E0000-0x000000000326C000-memory.dmp

Filesize
560KB

Download
memory/5032-10-0x0000000002340000-0x0000000002370000-memory.dmp

Filesize
192KB

Download