Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
-
Size
536KB
-
MD5
6bd9caa1a6ffd921d036d23ebf797e5b
-
SHA1
82ae311a2277608315326837bd7e50a448fe005e
-
SHA256
1c4483bcd5d73e75c10f2aac41b849940f673d9885da962962f8267888a14d0e
-
SHA512
d6a0696ee20cbde947cefa953313cb8de6bf29fd30c4fb0aa3261ca9ffed6a74aa1b60e35be9c7fd73b1cbcd7a01688944a20ca4fda4058c818898529f40f1b8
-
SSDEEP
12288:qNSvHhDU4gXpWjbIBaRPtFyddHCp7Qb7woR:qMvBaIjbFtF7p7QgoR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NSIS_Install_igb.exepid process 2360 NSIS_Install_igb.exe -
Loads dropped DLL 6 IoCs
Processes:
6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exeNSIS_Install_igb.exepid process 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe 2360 NSIS_Install_igb.exe 2360 NSIS_Install_igb.exe 2360 NSIS_Install_igb.exe 2360 NSIS_Install_igb.exe 2360 NSIS_Install_igb.exe -
Drops file in Windows directory 1 IoCs
Processes:
6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exedescription ioc process File created C:\Windows\pack.epk 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
Processes:
resource yara_rule \Windows\Temp\NSIS_Install_igb.exe nsis_installer_1 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NSIS_Install_igb.exepid process 2360 NSIS_Install_igb.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exedescription pid process target process PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe PID 1952 wrote to memory of 2360 1952 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe NSIS_Install_igb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\NSIS_Install_igb.exe"C:\Windows\temp\NSIS_Install_igb.exe" "/LICFILE=C:\Windows\temp\license.dat" "/MC=C:\Windows\system32\trfdqwdbou.exe" "/MCPARAMS=INSTALL:|109|FBnXPPBAAA-FA6CK4LAAA|172800"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nso2906.tmp\ioSpecial.iniFilesize
700B
MD50ccec062611b993e56672494fb870876
SHA1ca703cd2b755e01c771f0e3cf450604087a97d39
SHA256753f53501fb9b6e84b9e4f713ec8f89e25abbbed2f8dc3ad74cc9c7602bd1010
SHA512829b15653af0583701e7f7bc2187b87fadd06769555340198737ca8bb2094219538ccff5b6176a7d85dbe9c55f8fcf3d9f1bee1271ff36970e8cd4f0057c53d2
-
\Users\Admin\AppData\Local\Temp\nso2906.tmp\InstallOptions.dllFilesize
12KB
MD5d61d6c709e7947296603059f8bedeba9
SHA1bdcfc90c358c82be43ef85727a7bdfebbd6d1b69
SHA25665012a46603b7e13807938e2a61f3c2a60cced3fb3187dfab3e391705e2c3f63
SHA512ed5a6efd1dd5e2119a9c523b9f9154e13552b3538bf72f4b8b02d6a9c808c3ae2ba7613d9e2b3395237461703f2da0a1482a52727ffcf6fc967552390dab0f2b
-
\Users\Admin\AppData\Local\Temp\nso2906.tmp\LangDLL.dllFilesize
5KB
MD58be27f3bdec2b49d0a6a674716622304
SHA170d17db576ed484a4c0195571118d307fd4dc1b9
SHA2564fe0a8391574867d8bdc6fb33555d90e02796563f02d1e6536acc3294a85bd47
SHA512add9f37dd0d7a27f19d172c82599a79d049385c12cdfb78745ce2b0685ecea8f85c718bd62ecd671bbed949529429500853534b63226809e707ad3745a8fc801
-
\Windows\Temp\NSIS_Install_igb.exeFilesize
231KB
MD5769f7d70149df32d0df1982c056716c5
SHA1c6c08c86cbe484513d50f7f919f26e78d7430501
SHA256af14a85d1e37c133d078d423f36adddfb9fbf8dbabec41acf891315bd3a6f61b
SHA512db6d37791c964764275eaaa3aa2b89347e601072298fe4972c916bafe77d0814763d0c920dcb01e866014fdf497495bddf30c869c67032db558bbf52acfa2022