1c4483bcd5d73e75c10f2aac41b849940f673d9885da962962f8267888a14d0e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
Size

536KB
MD5

6bd9caa1a6ffd921d036d23ebf797e5b
SHA1

82ae311a2277608315326837bd7e50a448fe005e
SHA256

1c4483bcd5d73e75c10f2aac41b849940f673d9885da962962f8267888a14d0e
SHA512

d6a0696ee20cbde947cefa953313cb8de6bf29fd30c4fb0aa3261ca9ffed6a74aa1b60e35be9c7fd73b1cbcd7a01688944a20ca4fda4058c818898529f40f1b8
SSDEEP

12288:qNSvHhDU4gXpWjbIBaRPtFyddHCp7Qb7woR:qMvBaIjbFtF7p7QgoR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NSIS_Install_igb.exe

pid process

2676 NSIS_Install_igb.exe
Loads dropped DLL 2 IoCs

Processes:

NSIS_Install_igb.exe

pid process

2676 NSIS_Install_igb.exe
2676 NSIS_Install_igb.exe
Drops file in Windows directory 1 IoCs

Processes:

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe

description ioc process

File created C:\Windows\pack.epk 6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2676	NSIS_Install_igb.exe

pid	process
2676	NSIS_Install_igb.exe
2676	NSIS_Install_igb.exe

description	ioc	process
File created	C:\Windows\pack.epk	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Temp\NSIS_Install_igb.exe	nsis_installer_1

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe

description	pid	process	target process
PID 3432 wrote to memory of 2676	3432	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 3432 wrote to memory of 2676	3432	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe
PID 3432 wrote to memory of 2676	3432	6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe	NSIS_Install_igb.exe

C:\Users\Admin\AppData\Local\Temp\6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bd9caa1a6ffd921d036d23ebf797e5b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\temp\NSIS_Install_igb.exe
"C:\Windows\temp\NSIS_Install_igb.exe" "/LICFILE=C:\Windows\temp\license.dat" "/MC=C:\Windows\system32\lkpgmsxpus.exe" "/MCPARAMS=INSTALL:|109|FBnXPPBAAA-FA6CK4LAAA|172800"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi2944.tmp\InstallOptions.dll
Filesize
12KB

MD5
d61d6c709e7947296603059f8bedeba9

SHA1
bdcfc90c358c82be43ef85727a7bdfebbd6d1b69

SHA256
65012a46603b7e13807938e2a61f3c2a60cced3fb3187dfab3e391705e2c3f63

SHA512
ed5a6efd1dd5e2119a9c523b9f9154e13552b3538bf72f4b8b02d6a9c808c3ae2ba7613d9e2b3395237461703f2da0a1482a52727ffcf6fc967552390dab0f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi2944.tmp\LangDLL.dll
Filesize
5KB

MD5
8be27f3bdec2b49d0a6a674716622304

SHA1
70d17db576ed484a4c0195571118d307fd4dc1b9

SHA256
4fe0a8391574867d8bdc6fb33555d90e02796563f02d1e6536acc3294a85bd47

SHA512
add9f37dd0d7a27f19d172c82599a79d049385c12cdfb78745ce2b0685ecea8f85c718bd62ecd671bbed949529429500853534b63226809e707ad3745a8fc801

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi2944.tmp\ioSpecial.ini
Filesize
700B

MD5
9e6d6e7c037281327ba3aa4e929efb85

SHA1
e990fbd83b2b98fc5893f1c6b3b953ed2269e72e

SHA256
6f77a699064765d955f27f071b9c986917ac099faacb4743b9c32288cb57f8a8

SHA512
0bb68da7f2f8930f232866e64906566354bd34edb74c50f79b62d6f3f9b3697cf1f2c58dcafbb2999c92da361af529b3e76b9d5ec7ce2776f5393bc1c1ecc4d0

Download Submit
C:\Windows\Temp\NSIS_Install_igb.exe
Filesize
231KB

MD5
769f7d70149df32d0df1982c056716c5

SHA1
c6c08c86cbe484513d50f7f919f26e78d7430501

SHA256
af14a85d1e37c133d078d423f36adddfb9fbf8dbabec41acf891315bd3a6f61b

SHA512
db6d37791c964764275eaaa3aa2b89347e601072298fe4972c916bafe77d0814763d0c920dcb01e866014fdf497495bddf30c869c67032db558bbf52acfa2022

Download Submit