1121a23abf827d61a30300db64b472a66911726724e260c17679f27e5bd7cbc3

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe
Size

2.3MB
MD5

95ba9321235fd7775e74078c299d5ed3
SHA1

5b4347baf58a66ce94fb9d17d3204f76ed5f8662
SHA256

1121a23abf827d61a30300db64b472a66911726724e260c17679f27e5bd7cbc3
SHA512

7512d2a8b4f814da6a2254839a75fec8b4c93151d724491968223ed51061d104f4816a3a5f2e2409c572d3005aec55189f93ac2bb31a532784ba0d8c46765a45
SSDEEP

49152:K9DaBD7i6TPrf3duvn9LNVPWEcvmTSKhDqWhIcFRtPJEf:K90D7hTT3i1NVPWUSKhDn7RJG

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019627-192.dat	acprotect
behavioral1/memory/2728-197-0x0000000074A20000-0x0000000074A2A000-memory.dmp	acprotect
behavioral1/files/0x000500000001962b-242.dat	acprotect
behavioral1/memory/2728-402-0x0000000074A20000-0x0000000074A2A000-memory.dmp	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2684	1717523363itinstallerp.exe
2728	dcd7Installer.exe

Loads dropped DLL 64 IoCs

pid	Process
2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe
2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe
2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe
2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe
2684	1717523363itinstallerp.exe
2684	1717523363itinstallerp.exe
2684	1717523363itinstallerp.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe
2728	dcd7Installer.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015d53-17.dat	upx
behavioral1/memory/2400-19-0x0000000001D60000-0x0000000001DC9000-memory.dmp	upx
behavioral1/memory/2684-28-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/files/0x0005000000019627-192.dat	upx
behavioral1/memory/2728-197-0x0000000074A20000-0x0000000074A2A000-memory.dmp	upx
behavioral1/files/0x000500000001962b-242.dat	upx
behavioral1/memory/2728-253-0x0000000002D40000-0x0000000002D4C000-memory.dmp	upx
behavioral1/memory/2728-254-0x0000000002D40000-0x0000000002D4C000-memory.dmp	upx
behavioral1/memory/2684-401-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2728-402-0x0000000074A20000-0x0000000074A2A000-memory.dmp	upx
behavioral1/memory/2684-403-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-404-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2728-406-0x0000000002D40000-0x0000000002D4C000-memory.dmp	upx
behavioral1/memory/2684-409-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-411-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-413-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-415-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-417-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-419-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-421-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-423-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-425-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-427-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-429-0x0000000000390000-0x00000000003F9000-memory.dmp	upx
behavioral1/memory/2684-431-0x0000000000390000-0x00000000003F9000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000015d12-47.dat	nsis_installer_1
behavioral1/files/0x0009000000015d12-47.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	dcd7Installer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2684	2400	95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe	28
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29
PID 2684 wrote to memory of 2728	2684	1717523363itinstallerp.exe	29

C:\Users\Admin\AppData\Local\Temp\95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95ba9321235fd7775e74078c299d5ed3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\1717523363itinstallerp.exe
  C:\Users\Admin\AppData\Local\Temp\1717523363itinstallerp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\temp\dcd7Installer.exe
    "C:\Users\Admin\AppData\Local\temp\dcd7Installer.exe" /KEYWORD=dcd7 "/PATHFILES=C:\Users\Admin\AppData\Local\temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\temp\dcd7installer.ini

Filesize
572B

MD5
18d944112b5072ae292b54e2ed3bf56d

SHA1
ddbe1b547d90c243c7d60dd4ffc7847ec381a466

SHA256
f74f4830322264c29a2c996c3fac3ab490c2a78a9fffd7975b6c65fd16172ad8

SHA512
5731673f5af8214268c56c069786d0731c224e51a477c111f4084f596dd1c005e16def73fcecde618277788d0820d35228dbbe85fe28561beac9073516930f79

Download Submit
\Users\Admin\AppData\Local\Temp\1717523363itinstallerp.exe

Filesize
2.8MB

MD5
fe4422df8857fd1eeea3b41a277889db

SHA1
4c80bd07bd3c5249c7daf2b33d0a318899ca2925

SHA256
f9c7c3a5222120e920e276e4955a967b07e8d35d4764ab6152f6989fd8f64045

SHA512
445607b7e28ef6525a42acc48f49f5accc0d6a867beda24f52ddc36f996dfea4ca9b48824001197e53d8e0f904235b01ca54a71af5d6da8c4accc8b87f58700f

Download Submit
\Users\Admin\AppData\Local\Temp\dcd7Installer.exe

Filesize
2.0MB

MD5
94d3871dcd0378ba34e4e1f11ae87aad

SHA1
33d915f0b98e1b58e4df4d3aebfe555ea822ff3d

SHA256
134b2d746bd3c15b81d559a4f1fd3c647670f061a151df7ae65e296eedd403de

SHA512
64e36ff3d04dc80ce2a5e432096a16d4e0168c10d168f529040edb1e9f4a970b56b70067ae90b09e5efe41ca184328e3c17dd398b34962bf295b95627ea15dae

Download Submit
\Users\Admin\AppData\Local\Temp\nsd27DC.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd27DC.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
\Users\Admin\AppData\Local\Temp\nso2B75.tmp\ButtonEvent.dll

Filesize
4KB

MD5
55788069d3fa4e1daf80f3339fa86fe2

SHA1
d64e05c1879a92d5a8f9ff2fd2f1a53e1a53ae96

SHA256
d6e429a063adf637f4d19d4e2eb094d9ff27382b21a1f6dccf9284afb5ff8c7f

SHA512
d3b1eec76e571b657df444c59c48cad73a58d1a10ff463ce9f3acd07acce17d589c3396ad5bdb94da585da08d422d863ffe1de11f64298329455f6d8ee320616

Download Submit
\Users\Admin\AppData\Local\Temp\nso2B75.tmp\IpConfig.dll

Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nso2B75.tmp\nsArray.dll

Filesize
6KB

MD5
f8462e9d1d7fd39789afca89ab6d6046

SHA1
7e9a518e15b7490245d2bef11a73f209c8d8d59b

SHA256
48941e9f5c92a33f1e60a7a844d562dd77ce736fd31b5503c980b49679dfe85e

SHA512
57dee2253abd7d17d53811d5e95237f9434288518fb043645524a517786db2d8a91df86a6da732c620f12ad0e7ea30a923b8d5f3de386c65bd3ff240bc0dff69

Download Submit
\Users\Admin\AppData\Local\Temp\nso2B75.tmp\nsURL.dll

Filesize
109KB

MD5
ee1c41db6834538ee4048ccfc45055be

SHA1
efbbfc884a3193fadf542b0bef387cffc86923b7

SHA256
8904eb2c575ac5509d1a19f7c14b6ab804e88c22e3c2232d45de4198cf9850aa

SHA512
312c60a27ee625c9454cb8403c575bd2f9562fd1288ae84ad648018b62e455bf89928acb2508e75be8e76cd19ac1127e873b1187d06fa265ca2e624e02382ffb

Download Submit
\Users\Admin\AppData\Local\Temp\nso2B75.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2400-19-0x0000000001D60000-0x0000000001DC9000-memory.dmp

Filesize
420KB

Download
memory/2684-415-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-421-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-431-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-429-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-427-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-425-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-401-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-423-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-403-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-404-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-419-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-417-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-28-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-409-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-411-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2684-413-0x0000000000390000-0x00000000003F9000-memory.dmp

Filesize
420KB

Download
memory/2728-408-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/2728-406-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/2728-407-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/2728-220-0x0000000000610000-0x0000000000636000-memory.dmp

Filesize
152KB

Download
memory/2728-402-0x0000000074A20000-0x0000000074A2A000-memory.dmp

Filesize
40KB

Download
memory/2728-273-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/2728-254-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/2728-253-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/2728-197-0x0000000074A20000-0x0000000074A2A000-memory.dmp

Filesize
40KB

Download