Analysis

  • max time kernel
    135s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/05/2024, 00:41

General

  • Target

    7b1e2e30115fdd17e80825bcb58216cf_JaffaCakes118.exe

  • Size

    465KB

  • MD5

    7b1e2e30115fdd17e80825bcb58216cf

  • SHA1

    f32bf80a09a0f4c7fcbfedb813c475f83658a665

  • SHA256

    544dd232f4eb70fbfd04ebe99ec1e69d5813df06dcb8d56f5058a6d6d6d17da8

  • SHA512

    2db93265c4d69abc839e23bad127722caa6c5b288aab34a5237f2e106b045b28b0773960077d041bf64521a2fba221c29b35108fe080a1f6585b9738fe5c6406

  • SSDEEP

    12288:eeVz7cNqOQ/3AjTr7vHSujL6TciSgUvsG:dVz7cN0/3YrziT5HG

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b1e2e30115fdd17e80825bcb58216cf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7b1e2e30115fdd17e80825bcb58216cf_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\TablacusInstallerStuff.exe
      "C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\TablacusInstallerStuff.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\7b1e2e30115fdd17e80825bcb58216cf_JaffaCakes118.exe" "HKCU" "Software\TablacusApp" "badumt"
      2⤵
      • Executes dropped EXE
      PID:1512
    • C:\Users\Admin\AppData\Roaming\TablacusApp\TablacusApp.exe
      C:\Users\Admin\AppData\Roaming\TablacusApp\TablacusApp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:764

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\TablacusInstallerStuff.exe

          Filesize

          104KB

          MD5

          8a8ecd5494501a649b5e0bf1c6c9d64b

          SHA1

          a8decedb5dd8964e6d754c8cc1f5fa6a6a1ba591

          SHA256

          c577eaec822a6fd6c29a22cc1e19d63d4b99da26145be5c472536d2054347113

          SHA512

          2a4dd8d15afcccc3b0a658dfcb763e6e2a8e94f47a538cd60309e6b771e598ab129d2d35a87c2ce1f3ecfdd0d61a82b2853e978b91714269814cc9543993cd3c

        • C:\Users\Admin\AppData\Local\Temp\nsu45A5.tmp\nsProcess.dll

          Filesize

          4KB

          MD5

          f0438a894f3a7e01a4aae8d1b5dd0289

          SHA1

          b058e3fcfb7b550041da16bf10d8837024c38bf6

          SHA256

          30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

          SHA512

          f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

        • C:\Users\Admin\AppData\Roaming\TablacusApp\TablacusApp.exe

          Filesize

          211KB

          MD5

          e2bc6cb52f9e0b2deb712a962f0251e7

          SHA1

          fc2318e70bc05f36176fbc542aa881277ea03b81

          SHA256

          1dcc2b1788681bbb0f0838d2ac5b6b57b2e58cad5cd925a8af6d8348c1bbc34b

          SHA512

          a6e809736fda2956f6a078d7c7c02d7eceefdf1630693937e79ea665ca4e9746e299ca3e1fd7268cbab07248275b13fe694f633f2b96eb68baa136a0fccd1ae5