df2a98160f73a3237d6dea3319c674cebfe9d3e45f724de2f50005c087b11ea8

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe
Size

85KB
MD5

a001c62496816fa03903f7eacc0c4da2
SHA1

4dba4cc7cee7ff7ae7d5c7bcf674c55ece6fa376
SHA256

df2a98160f73a3237d6dea3319c674cebfe9d3e45f724de2f50005c087b11ea8
SHA512

9f179835d37b6a47af881bdf2db615c71ee9fb5255eaa00e895bd327d9bc8b2fbd1879d3f89b9e7fa65df3090f6c6f9a500026c9b0abc402d53bea0f0ec96cd9
SSDEEP

1536:XCaIoX1oYOcbTMV88TXJLE7iwhKKS2gE2wGu3SzRy8:XCaZ2Yrb0VTXJY7iZKUE2wGuiw8

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2540	iWinGames.exe
2704	InstGameInfoHelper.exe

Loads dropped DLL 7 IoCs

pid	Process
2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe
2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe
2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe
2540	iWinGames.exe
2540	iWinGames.exe
2540	iWinGames.exe
2540	iWinGames.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000014bc8-12.dat	nsis_installer_1
behavioral1/files/0x0007000000014bc8-12.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	InstGameInfoHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	InstGameInfoHelper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2540	iWinGames.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2540	2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2540	2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2540	2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2540	2268	a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe	28
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29
PID 2540 wrote to memory of 2704	2540	iWinGames.exe	29

C:\Users\Admin\AppData\Local\Temp\a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a001c62496816fa03903f7eacc0c4da2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\nst6FD4.tmp\iWinGames.exe
  C:\Users\Admin\AppData\Local\Temp\nst6FD4.tmp\iWinGames.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8E2E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8E7F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6FD4.tmp\ftdownload.dat

Filesize
512B

MD5
f964914b792f4a1a29012d2ce877c354

SHA1
bd0c87ae867ab7e234f32a530a1d913c683b0c29

SHA256
0b99bfd080cb5e363d589d1121d2a8b060becd5129909f4525c2b39620a71082

SHA512
ef95a58e96b8499b8168dd878c5e8b8fe9daa4809b06fff1b4ec423d10b32f6cf3e242ef174a3f6e2daafa310820940ab1958daf11c6c45aaeb7b4a07c798c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\InstGameInfoHelper.exe

Filesize
99KB

MD5
3d3d2bf9c42dbdf97247775c00f22190

SHA1
7a046170aaeb5e1a29d8c8cd7c32225f49237aa1

SHA256
59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a

SHA512
6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\gametitle.txt

Filesize
26B

MD5
309a9fb72f3824c8ac8e0255293cbf13

SHA1
b93e54c9fdaad918a835965f7f1383f32f457a86

SHA256
bcecf3f61cfd30561c59dc69d60b3da75c74cd1ed83eff5e9da4ef5b9acf199d

SHA512
3e3e8eda2eb8bff30110c3deba26940ac6e099c0730ffc7909e13fd9b1ec01e023805f4bf95a432b4d67fefb09150554d4d4ce4bd5588a00a57e756e254c6151

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\tn_feat.bmp

Filesize
4KB

MD5
1428568292bf67feb76157a2b299b6dc

SHA1
615cc2a168d3312e633f8d5f21f9e849881d5d06

SHA256
9151e09d06ddcffbb4dce2fd201b60cf4257a69218443d8d7c8baeccf1aa8691

SHA512
8988b92d1f800b1c6e6a51c9aacddb3d421a9ebbb31b5fc800a6539febb0d99ec4857ced0f3a78b95b265cabd554c8323b6d1759b891db62b94c760c021df968

Download Submit
\Users\Admin\AppData\Local\Temp\nst6FD4.tmp\System.dll

Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\nst6FD4.tmp\iWinGames.exe

Filesize
4.4MB

MD5
9939c0274f24ae6d6e29dd5580fd88ac

SHA1
96c2a03086e3afd51430fa0f79026d7a961101ae

SHA256
991cefa2b730f298ae402d32ad1e311996354f4bb4ae815c4f979e03b70a5471

SHA512
ab230e1b79f14ce6bcde605a5cb0e13c4030fd64c9b86cb1df290455084dcd04c40f2f011ea0e674b52e6f47490ee9bb3f41dc5e07b83187f3c75c13c471bf35

Download Submit
\Users\Admin\AppData\Local\Temp\nst6FD4.tmp\nsisdl.dll

Filesize
14KB

MD5
a5a4cee2eb89d2687c05ef74299f0dba

SHA1
b9bff5987be422887f2f402357b47db2288a1a42

SHA256
cb82268b778703db75961cddef33a695a674f0dfd28b7e710b198ef2d26d3963

SHA512
f485267c6239f84d294ed4b0a82f317081e6e2e0c5613bd012bbd496b9ebccb8aca6944e80f84af51d17ac13f4d83480c34edfe37a3a9508ce0e67fc9f0b96f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\BgImage.dll

Filesize
7KB

MD5
c430c0a7ef0ac8f80004de7f7898bced

SHA1
1f698e988bcc19d280a70c3283ff2816bb0db465

SHA256
dd4e24bcee7e9e952f1c7cda7532c0b851b87577e1b679380808f22d875c7c96

SHA512
3fa4fe59cadb580ab8b452ff7c2dd3802f8f6fe920dee15c81492c0c324ab991471de01fdb6f3ac07e336a90755243a1ef1de1bb5dd1c51cb70918e7192b46b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy84AB.tmp\nsExec.dll

Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit