1c4483bcd5d73e75c10f2aac41b849940f673d9885da962962f8267888a14d0e

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
Size

536KB
MD5

6bd9caa1a6ffd921d036d23ebf797e5b
SHA1

82ae311a2277608315326837bd7e50a448fe005e
SHA256

1c4483bcd5d73e75c10f2aac41b849940f673d9885da962962f8267888a14d0e
SHA512

d6a0696ee20cbde947cefa953313cb8de6bf29fd30c4fb0aa3261ca9ffed6a74aa1b60e35be9c7fd73b1cbcd7a01688944a20ca4fda4058c818898529f40f1b8
SSDEEP

12288:qNSvHhDU4gXpWjbIBaRPtFyddHCp7Qb7woR:qMvBaIjbFtF7p7QgoR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NSIS_Install_igb.exe

pid process

2360 NSIS_Install_igb.exe

pid	process
2360	NSIS_Install_igb.exe

Loads dropped DLL 6 IoCs

Processes:

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exeNSIS_Install_igb.exe

pid	process
1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
2360	NSIS_Install_igb.exe
2360	NSIS_Install_igb.exe
2360	NSIS_Install_igb.exe
2360	NSIS_Install_igb.exe
2360	NSIS_Install_igb.exe

Drops file in Windows directory 1 IoCs

Processes:

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe

description ioc process

File created C:\Windows\pack.epk 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\pack.epk	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
\Windows\Temp\NSIS_Install_igb.exe	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NSIS_Install_igb.exe

pid process

2360 NSIS_Install_igb.exe

pid	process
2360	NSIS_Install_igb.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe

description	pid	process	target process
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 1952 wrote to memory of 2360	1952	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe

C:\Users\Admin\AppData\Local\Temp\6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\temp\NSIS_Install_igb.exe
"C:\Windows\temp\NSIS_Install_igb.exe" "/LICFILE=C:\Windows\temp\license.dat" "/MC=C:\Windows\system32\trfdqwdbou.exe" "/MCPARAMS=INSTALL:|109|FBnXPPBAAA-FA6CK4LAAA|172800"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2360

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso2906.tmp\ioSpecial.ini
Filesize
700B

MD5
0ccec062611b993e56672494fb870876

SHA1
ca703cd2b755e01c771f0e3cf450604087a97d39

SHA256
753f53501fb9b6e84b9e4f713ec8f89e25abbbed2f8dc3ad74cc9c7602bd1010

SHA512
829b15653af0583701e7f7bc2187b87fadd06769555340198737ca8bb2094219538ccff5b6176a7d85dbe9c55f8fcf3d9f1bee1271ff36970e8cd4f0057c53d2

Download Submit
\Users\Admin\AppData\Local\Temp\nso2906.tmp\InstallOptions.dll
Filesize
12KB

MD5
d61d6c709e7947296603059f8bedeba9

SHA1
bdcfc90c358c82be43ef85727a7bdfebbd6d1b69

SHA256
65012a46603b7e13807938e2a61f3c2a60cced3fb3187dfab3e391705e2c3f63

SHA512
ed5a6efd1dd5e2119a9c523b9f9154e13552b3538bf72f4b8b02d6a9c808c3ae2ba7613d9e2b3395237461703f2da0a1482a52727ffcf6fc967552390dab0f2b

Download Submit
\Users\Admin\AppData\Local\Temp\nso2906.tmp\LangDLL.dll
Filesize
5KB

MD5
8be27f3bdec2b49d0a6a674716622304

SHA1
70d17db576ed484a4c0195571118d307fd4dc1b9

SHA256
4fe0a8391574867d8bdc6fb33555d90e02796563f02d1e6536acc3294a85bd47

SHA512
add9f37dd0d7a27f19d172c82599a79d049385c12cdfb78745ce2b0685ecea8f85c718bd62ecd671bbed949529429500853534b63226809e707ad3745a8fc801

Download Submit
\Windows\Temp\NSIS_Install_igb.exe
Filesize
231KB

MD5
769f7d70149df32d0df1982c056716c5

SHA1
c6c08c86cbe484513d50f7f919f26e78d7430501

SHA256
af14a85d1e37c133d078d423f36adddfb9fbf8dbabec41acf891315bd3a6f61b

SHA512
db6d37791c964764275eaaa3aa2b89347e601072298fe4972c916bafe77d0814763d0c920dcb01e866014fdf497495bddf30c869c67032db558bbf52acfa2022

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads