05abcaacc5ee162814748435645b745b6f3467f38f753fe51668167a215125ef

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Size

389KB
MD5

81ec49cd68d7e854cf50d2d995bbc5f1
SHA1

63a9dff16b3473c02e6838f0354aac1e5f7e817b
SHA256

05abcaacc5ee162814748435645b745b6f3467f38f753fe51668167a215125ef
SHA512

2e92ebe6d2a380b8fc9dc6407d5e572f17e2fffd7135a5fb1e8981464a37c60dea0c1a08132dfcf10effb59eb7287bbceccd54ad64d2bf8afbdcb0f9f26a2762
SSDEEP

6144:wQqHLZeKu9yGolKpT9Y4QFYPfu5xHWYEFZZTh9dtvDSp9f+kBK179D0b:gLZe2KpThwxHLudh9dtvDSvQd0b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	nsissetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2328	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
2592	nsissetup.exe
2592	nsissetup.exe
2592	nsissetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	nsissetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	nsissetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	nsissetup.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0F2812E-E839-415D-A88C-5467554C19B3}	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0F2812E-E839-415D-A88C-5467554C19B3}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\nso2953.tmp\\nsissetup.exe\" -- \"81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe\" 918 00000194 0000019C {D0F2812E-E839-415D-A88C-5467554C19B3}"	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0F2812E-E839-415D-A88C-5467554C19B3}\LocalServer32	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0F2812E-E839-415D-A88C-5467554C19B3}	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0F2812E-E839-415D-A88C-5467554C19B3}\LocalServer32	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2592	nsissetup.exe
2592	nsissetup.exe

C:\Users\Admin\AppData\Local\Temp\81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
PID:2328

C:\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsissetup.exe
"C:\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsissetup.exe" -- "81ec49cd68d7e854cf50d2d995bbc5f1_JaffaCakes118.exe" 918 00000194 0000019C {D0F2812E-E839-415D-A88C-5467554C19B3} -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DLG\initWindow\noconnection.html

Filesize
2KB

MD5
a0ee32dc4ffc79fdef2dc0467da538c5

SHA1
15d78592ac2c313a52d3c22783aae9bb4c787182

SHA256
b4508b7dcc08b2b93cd64bee68bd5174fe48f48280e59f9a81d4861c3ef0431d

SHA512
e7c02d6211878466d1fb77d2d96a79615f3e85cc9579fb6f54001639902eaa106d734a9c7ef07278c5014e7dc8d28d7b2ee28f677f362d80dfd3d26e59a976e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsissetup.exe

Filesize
551KB

MD5
3b6058aa9a3577b6959e582cf925b360

SHA1
78170fa64abbcb9b28df31e80f518abe4eb2b1f0

SHA256
0cf229e7f31afec47c9eea89ef56e78f8fb2d657be15d52dfb51fe1b059fbf41

SHA512
1edf439b6ae5866338e4a18e5a2f88fb1b1eacdc707d9ed616f29bab8fcc8ea2b6762a85a9a4df461934b78f669cd045ee36bd9b7ce6fd736f50876c7e5718cb

Download Submit
\Users\Admin\AppData\Local\Temp\nso2953.tmp\CABSetup.dll

Filesize
30KB

MD5
0645c3c0a775041eb51277c4e93121ef

SHA1
3963d0016da8c2ec51777357fe5e615a1308c3b5

SHA256
91687b6cd88653f0be20b129c16dd14dd5f909a4d096218d3306ec62d3c260a2

SHA512
5a192ce1eaad049027c362e7a0c85a705ef8045c268e7fb09eab364c6da27929ab78fccf755145ea620deeb32a0954c62aa7d699249057fcd5522d45c0937a47

Download Submit