Analysis

  • max time kernel
    121s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 13:58

General

  • Target

    846328c9641705a25e245812690346b7_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    846328c9641705a25e245812690346b7

  • SHA1

    9c512753df6d03547d668e995914b09a14e06d52

  • SHA256

    a6fbbdfd4727a94119a43866f2997b8b0b319a391bab2830d8a217517f882196

  • SHA512

    d04edf39b9918aef444f333b60692dd0d6e6a8451a9e0f9f0084552b2bfacbcee9ecf1d2a9bf54156f6ecf6f3f70807f6e9e79e967e25ec010d8529ca12ea4b3

  • SSDEEP

    49152:CgWFAS1CetCGJTt2MOSzSAUXMQU2NjXJw0FmWYSx4SJvJ7ZRLeduQ:ut1T9t2MOSfmMLWjXJw0FmWYQvJtgduQ

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\MediaPlayerInstallerStuff.exe
      "C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\MediaPlayerInstallerStuff.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\846328c9641705a25e245812690346b7_JaffaCakes118.exe" "HKCU" "Software\MediaPlayerApplication" "zerker"
      2⤵
      • Executes dropped EXE
      PID:4368
    • C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe
      C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\MediaPlayerInstallerStuff.exe

    Filesize

    115KB

    MD5

    18226dce3f8a67d3ed65c2d1a9f3b348

    SHA1

    59e983233a0c9ae32348fed758b14ec29cb1f987

    SHA256

    c748afc480f03f7e24b3eba8306ef108da235c39ee134a744363e2c22ed7afea

    SHA512

    46a18c49829afa289795ca4dac85931d60d60a1e52238841ec288d18c802aa2be6f8b3f14130ea25f86c73c37f89875b9b6f4743dcb05959e83614ad1c8b3efd

  • C:\Users\Admin\AppData\Local\Temp\nsq7BA9.tmp\nsProcess.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • C:\Users\Admin\AppData\Roaming\MediaPlayerApplication2\MediaPlayerApplication.exe

    Filesize

    170KB

    MD5

    3cdc437ac9a03a6cca99d618cd397da4

    SHA1

    6a331756c30bb7777c2c7e6c07ca0562d7f500c8

    SHA256

    de24fb81d20c2aacb66f419c6e523416cf61c5ea5de3af0e25ed4eb301f3a6f2

    SHA512

    9aad7f0bdbe7d126b32fca359c3498888820edef9d23d866e5a481be877cd59e4da4944869ccd022581b332945ebecb9fb21d82cddf319a6480c722a23fc7015