Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/06/2024, 02:42

General

  • Target

    a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    a3918e032ff926de0deec7701b87d759

  • SHA1

    6e45e8fbd7cfb5596d533025fb9f8869ce085af0

  • SHA256

    bd933e5a31ed83d21cefeb9d6f40e9b480fb1d560ad01a32eef1aabeda2ba17b

  • SHA512

    031237c459f64f3896e7b9ac06cf66a1b9bca2b4162199cb925ea4a05ab8c28353c58fc5a8b2d449ef7cde8cd87ae4d5bf089efaf82724fbd32f724dc9e438cb

  • SSDEEP

    49152:GnsHyjtk2MYC5GDLHikkafWDcqzMeBKoQV0aFXnEQl:Gnsmtk2afkKNMLo67

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      PID:860
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2928
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    2.5MB

    MD5

    a3918e032ff926de0deec7701b87d759

    SHA1

    6e45e8fbd7cfb5596d533025fb9f8869ce085af0

    SHA256

    bd933e5a31ed83d21cefeb9d6f40e9b480fb1d560ad01a32eef1aabeda2ba17b

    SHA512

    031237c459f64f3896e7b9ac06cf66a1b9bca2b4162199cb925ea4a05ab8c28353c58fc5a8b2d449ef7cde8cd87ae4d5bf089efaf82724fbd32f724dc9e438cb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\jHv4qXEE.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\nsi20FA.tmp\splash.jpg

    Filesize

    32KB

    MD5

    7b969f1073cb2bbc59e0e4bde493ba62

    SHA1

    5af88b9eedbcadf18f0ff7a740001bb173a205fd

    SHA256

    181b91f41df916a24549837e4e0c6ca53da4aac69ebc2737d45b29c453a25f5f

    SHA512

    f699846e67a46a869d5aed8c0d420dbf46d81c37800179e378c8d245f6a2ee7419ae73bb25eadb8462477eb93d052b3843672babe6f6b470f136fe0f760a2512

  • \Users\Admin\AppData\Local\Temp\._cache_a3918e032ff926de0deec7701b87d759_JaffaCakes118.exe

    Filesize

    1.8MB

    MD5

    6ce93a43d85c29f42962ace3fa818e26

    SHA1

    19439224cc4a59212499cad2842aeabb5b824fbc

    SHA256

    1821610d00410064fd10df6c08104a23a3eac06fe8cc6723f7222880c732774e

    SHA512

    6a0c1b35ca2c915cf9637607574964c945e08734ebd8be9eacd508ae64b6e09d213494cb758b19f893209fff42c646193879131bff67936de2ef969f958d886a

  • \Users\Admin\AppData\Local\Temp\nsd1D81.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    0c44f21d4afc81cc99fac7cc35e4503a

    SHA1

    3d0d5c684df99a46510c0e2c0020163a9d11c08d

    SHA256

    8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10

    SHA512

    4e4bd35d6aa21cecbfe7a93a2ee7db8ee78ca710a4193dfe240d1067afbe10f61db332c1c85f6cc3ba404d895a959742401b615ef8ff5bd9028254c4a43a0923

  • \Users\Admin\AppData\Local\Temp\nsd1D81.tmp\newadvsplash.dll

    Filesize

    8KB

    MD5

    55a723e125afbc9b3a41d46f41749068

    SHA1

    01618b26fec6b8c6bdb866e6e4d0f7a0529fe97c

    SHA256

    0a70cc4b93d87ecd93e538cfbed7c9a4b8b5c6f1042c6069757bda0d1279ed06

    SHA512

    559157fa1b3eb6ae1f9c0f2c71ccc692a0a0affb1d6498a8b8db1436d236fd91891897ac620ed5a588beba2efa43ef064211a7fcadb5c3a3c5e2be1d23ef9d4c

  • memory/1848-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

  • memory/1848-36-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2632-88-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2632-95-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/2632-142-0x0000000000400000-0x000000000068C000-memory.dmp

    Filesize

    2.5MB

  • memory/3060-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB