c55732168517ea7a91d294844d2e32da201bb31e95ec484f68f29fa5efb5e08b

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe
Size

858KB
MD5

bd68e020d796278d3683f75a0d76f52d
SHA1

7645095d4e50a9484f640347e3a6e3f0d53ec1d5
SHA256

c55732168517ea7a91d294844d2e32da201bb31e95ec484f68f29fa5efb5e08b
SHA512

558bc4ecad5fed3d4527a26fd021232248e5147b8c19a798b510c33f1126604f32e5bb590b1ca4ec564fb8aec18d282a2272519563534a9bfe8734e14c9faeef
SSDEEP

12288:g1HZBFqMkpHzHzmHdFFagEEDC111RmqmqmqmNXAXAXAEBYYAoVHzHacsimn75jRL:gZc75jRrLN2fnTaKRnw4i5EAaQd

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1824	Au_.exe
2808	kwuninsthelper.exe

Loads dropped DLL 23 IoCs

pid	Process
952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
1824	Au_.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe
2808	kwuninsthelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 952 wrote to memory of 1824	952	bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe	28
PID 1824 wrote to memory of 2808	1824	Au_.exe	29
PID 1824 wrote to memory of 2808	1824	Au_.exe	29
PID 1824 wrote to memory of 2808	1824	Au_.exe	29
PID 1824 wrote to memory of 2808	1824	Au_.exe	29
PID 1824 wrote to memory of 2808	1824	Au_.exe	29
PID 1824 wrote to memory of 2808	1824	Au_.exe	29
PID 1824 wrote to memory of 2808	1824	Au_.exe	29

C:\Users\Admin\AppData\Local\Temp\bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd68e020d796278d3683f75a0d76f52d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\kwuninsthelper.exe
    "C:\Users\Admin\AppData\Local\Temp\kwuninsthelper.exe" /MTD="cG9zdA==" /DAT="TWlVd09UeFRVa002VFZWVFNVTmZPUzR4TGpFdU1sOVFSWHhCUTFRNlRsTkpVMTlWVGtsT1UxUjhWRmxRUlRwU1ZVNVZUbE5VZkVOVlVrUlVPakU1T0RremZFbE9VMVJFVkRwOFZWTTZNVGs0T1ROOFZFTnZkVzUwT2pJMU9UTTVORE15T0h4N1kyOXdNak0wTlY5QmRWOHVaWGhsZlh4Vk9ueE5RVU02UlRaQ05UUTVSVGhDUkRnNFBnPT0=" /RES="QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXGt1d29tc2dsb2cudHh0" /DST="aHR0cDovL2xvZy5rdXdvLmNuL211c2ljLnls"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kwuninsthelper.exe

Filesize
100KB

MD5
b759bbbb1af31b9fab3954360086f828

SHA1
f43c8195d0d8303a316218a4958b790c4f965818

SHA256
9cd242782f6c82b27396c2a1133df29cfb3498f64875e756c155dcd10a647426

SHA512
1914d5d0f780d33eccddb11b244387737c8fcc18deeeca3bed50e17510f0e5a7b8850afbe99dd3cd8037720af32e8c1599fd66ed4c2d77bdb74fcc5773dc42bc

Download Submit
\Users\Admin\AppData\Local\Temp\nsiBA6.tmp\Base64.dll

Filesize
70KB

MD5
850740258bc04a9a60266a206a56a576

SHA1
562efebbde3e3ae999081f217f50092f27ee19e5

SHA256
d905aea5493481703a0be6ec70815774edfbaa75cab9d1fcd9f0ec32594b0567

SHA512
da9c1e4b587ad35317810e2320ed62f1bbb353ea52477e9d466f20cad25bbe5b0bfa6746e2823d1f7d2255fdfbdd3356a67e029c5858f5823a791edd25a94bf0

Download Submit
\Users\Admin\AppData\Local\Temp\nsiBA6.tmp\inetc.dll

Filesize
55KB

MD5
43fa0a6cde7f17e914b5087e133cbaa9

SHA1
1bb3e4cc98e3b65722d21425d0358e2fe93b20e9

SHA256
46e26dc2255603778fd046493fae73130963c7fb365ca222105e8ea0328c485f

SHA512
b2e7921e18f12703df2e08ae6edb16823ea74278980b91019272c12c516498bb6db1e0d2b422f3af2aa3d492396423cc84fe8bf43b229e4745ca4592a149f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nstAAD.tmp\KuWoNsis_new.dll

Filesize
298KB

MD5
82f572276aff5f06f55240323ad8d267

SHA1
0eeef4b8aa4787a3912522187855c8c0743bbca5

SHA256
5f901e526effe89e783eb4acfdec0f485a465a98b9069d0b13ffd5e2ed73adfe

SHA512
b29a1faa150dbe70b2cffccb233d25548c812a2f773e031b76d9de314bc33ad4dad69b821f315535dc0afdcf0e6e5749d6487ff9eecac927999b93906ec15c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nstAAD.tmp\KwMusicNsis.dll

Filesize
419KB

MD5
06029e624f1d222e59ac641b2ce426b6

SHA1
6ba2875bee2eae79c0e1eaa8aa236038c8db6044

SHA256
09fb37e917faea5c966bc3418d1d7e46e3d0b9912cadd56486ba5bb5ac0f7b10

SHA512
516c04cfc31204879a0c938961208416ddd4ca7204606d630abe860c81422aa1316e45e29669ba01a7506af3f05284395c7c46524f2e73f36d3b4274203de70b

Download Submit
\Users\Admin\AppData\Local\Temp\nstAAD.tmp\NSISArray.dll

Filesize
32KB

MD5
8b43a3f284632edfbb51665b2e0b8a3c

SHA1
af6ab111856be7af7212a82b052e8b5656159b35

SHA256
336e588999bf6b1cd6c894dbf5a73b2198d48c935f8b1251687845cce467dc67

SHA512
3a9add285d074db534937b193b92f8e0503c94c97b11f0abe5d9358342fbc57461ba1f559fa19e0522cfec914b8a007f11bec34abef17faaca5de8bda0dbaf94

Download Submit
\Users\Admin\AppData\Local\Temp\nstAAD.tmp\System.dll

Filesize
11KB

MD5
7df8fb4196186f28cb308f9952d7ef64

SHA1
f20a7259ad233ac3795b6e6537de658209a8fd40

SHA256
72253837028abed272e5d50a3a6771933e9dd1aad73e90b8db4538aa9c786cbf

SHA512
3f373d69664ce015ceab16c12ba4c806c3489b89ae9db282551ec2452acd2ced1d70ddd4de0ef8c56d62a715624c9d2ceddc968adf07e905f2e4c81c2850ae4b

Download Submit
\Users\Admin\AppData\Local\Temp\nstAAD.tmp\nsDialogs.dll

Filesize
9KB

MD5
3ff6d8bfd6784eb4325102d9f76a0fe1

SHA1
1eedf67a5f3ea636bcb621402bb679d3e08c0414

SHA256
6da0ec15a4d3bbcfdd82d36838abcf8d57515d06049290801e5d71b4fd021dab

SHA512
dcc6c3ad393503c6527528d4fccc8b4faf25c6ff50a08c29247ab144f444d31590e3f7a581b2c955b0a109b552f0b7e3b4ae1849228d31a220d46eb5e1e2d26a

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
858KB

MD5
bd68e020d796278d3683f75a0d76f52d

SHA1
7645095d4e50a9484f640347e3a6e3f0d53ec1d5

SHA256
c55732168517ea7a91d294844d2e32da201bb31e95ec484f68f29fa5efb5e08b

SHA512
558bc4ecad5fed3d4527a26fd021232248e5147b8c19a798b510c33f1126604f32e5bb590b1ca4ec564fb8aec18d282a2272519563534a9bfe8734e14c9faeef

Download Submit
memory/1824-31-0x0000000002350000-0x000000000239C000-memory.dmp

Filesize
304KB

Download