Analysis Overview
SHA256
06e187ee90ec1e32e8e0bb61a7f806a92dabe74d104a11b5b927c1bd23847524
Threat Level: Likely malicious
The file a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 22:55
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 22:55
Reported
2024-06-12 22:58
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe
"C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4324,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.iwin.com | udp |
| FR | 52.222.169.2:80 | dl.iwin.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.169.222.52.in-addr.arpa | udp |
| BE | 2.17.107.115:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iwin.com | udp |
| US | 8.8.8.8:53 | 115.107.17.2.in-addr.arpa | udp |
| US | 35.153.119.44:80 | www.iwin.com | tcp |
| US | 35.153.119.44:443 | www.iwin.com | tcp |
| US | 8.8.8.8:53 | 44.119.153.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.200.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.193.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| FR | 13.249.8.192:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | img.iwin.com | udp |
| FR | 13.32.145.18:80 | img.iwin.com | tcp |
| US | 8.8.8.8:53 | 192.8.249.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.145.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\System.dll
| MD5 | 960a5c48e25cf2bca332e74e11d825c9 |
| SHA1 | da35c6816ace5daf4c6c1d57b93b09a82ecdc876 |
| SHA256 | 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2 |
| SHA512 | cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da |
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\nsisdl.dll
| MD5 | a5a4cee2eb89d2687c05ef74299f0dba |
| SHA1 | b9bff5987be422887f2f402357b47db2288a1a42 |
| SHA256 | cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963 |
| SHA512 | f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0 |
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\iWinGames.exe
| MD5 | 9939c0274f24ae6d6e29dd5580fd88ac |
| SHA1 | 96c2a03086e3afd51430fa0f79026d7a961101ae |
| SHA256 | 991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471 |
| SHA512 | ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35 |
C:\Users\Admin\AppData\Local\Temp\nsjE9D4.tmp\ftdownload.dat
| MD5 | bc1a08283ccd7967613219c5cea33048 |
| SHA1 | a104a940995e6aaf7faaf9a1bd1e061c3e4b0dd8 |
| SHA256 | 3160186021a733b39e860061c5b1fcce905dd595a20ab4db87410f674f958916 |
| SHA512 | 2b235b9076265352a8a2d43804c030f0ecc7168ab3bf3ec73cbef33865c44fe62d683a5f3294bdce77cb44d54fe2f47547133e601f2f1fb08620bd5ccb2a225a |
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\nsExec.dll
| MD5 | 51e63a9c5d6d230ef1c421b2eccd45dc |
| SHA1 | c499cdad5c613d71ed3f7e93360f1bbc5748c45d |
| SHA256 | cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f |
| SHA512 | c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522 |
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\InstGameInfoHelper.exe
| MD5 | 3d3d2bf9c42dbdf97247775c00f22190 |
| SHA1 | 7a046170aaeb5e1a29d8c8cd7c32225f49237aa1 |
| SHA256 | 59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a |
| SHA512 | 6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466 |
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\gametitle.txt
| MD5 | 08e6a153368d8c0fb970a1cf0b60a6fb |
| SHA1 | 4f2ebf2b3eaa65f4d47b34f61622f09bb345606c |
| SHA256 | 5993da161b24cffbcd13269a3e5a7bff1d65dadbf5a72829e5dbd4a882266973 |
| SHA512 | 0df00d67f04a2edc9f24257114095a5956fdf3d26c6665ccbd9de09de53d047454273b7acf602f81ca4985d65fab263b7dd04938e40db001068b36bc9cdf5dad |
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\BgImage.dll
| MD5 | c430c0a7ef0ac8f80004de7f7898bced |
| SHA1 | 1f698e988bcc19d280a70c3283ff2816bb0db465 |
| SHA256 | dd4e24bcee7e9e952f1c7cda7532c0b851b87577e1b679380808f22d875c7c96 |
| SHA512 | 3fa4fe59cadb580ab8b452ff7c2dd3802f8f6fe920dee15c81492c0c324ab991471de01fdb6f3ac07e336a90755243a1ef1de1bb5dd1c51cb70918e7192b46b4 |
C:\Users\Admin\AppData\Local\Temp\nsgEF81.tmp\tn_feat.bmp
| MD5 | 6792b98e5bf4a7835a2e5e533c632494 |
| SHA1 | 5f7d25167558a188dbefaadbff2de0595c4ea0b3 |
| SHA256 | 7ef3a4675994c2df47456026bc784837fa8e5fff0519c905abf6a5a3fb9fef25 |
| SHA512 | 8528e97c0e1ee035b6e7f56a53cf699734ea9da84050b28f344b5bf8f13a95e2ce5457b50bb372438192fa12d7fff108df914e516a3aa062a9091ba600511a55 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 22:55
Reported
2024-06-12 22:58
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2ce5a73ea2d54fdd4e9a5129f39d8fe_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dl.iwin.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nst1028.tmp\System.dll
| MD5 | 960a5c48e25cf2bca332e74e11d825c9 |
| SHA1 | da35c6816ace5daf4c6c1d57b93b09a82ecdc876 |
| SHA256 | 484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2 |
| SHA512 | cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da |
\Users\Admin\AppData\Local\Temp\nst1028.tmp\nsisdl.dll
| MD5 | a5a4cee2eb89d2687c05ef74299f0dba |
| SHA1 | b9bff5987be422887f2f402357b47db2288a1a42 |
| SHA256 | cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963 |
| SHA512 | f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0 |