198321ee4fb56e048701a3843fd707b5444f8b3095e3a807365dafe3b162150f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe
Size

1.4MB
MD5

0fa615422192936a4a63c07f205f04fd
SHA1

409c5e26302f940bb35f360db13c3d4c0032c410
SHA256

198321ee4fb56e048701a3843fd707b5444f8b3095e3a807365dafe3b162150f
SHA512

b7c85bd9172f18afd498d52216146f428c47dffd168833e7252e343f71753fbded1471f9c53ced734ab1b270cb9526a5898d2ec98c2d7e7d2521a59e566d051a
SSDEEP

24576:1gYnW1lVRaVJE1i/BqCO1idxh6ENjN0lF4KwA7G+LvTN3H:yYnS4eONH0lFmYRLvp3H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	W2BiH.exe

Loads dropped DLL 3 IoCs

pid	Process
2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe
2020	W2BiH.exe
2020	W2BiH.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2680	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2680	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2680	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2680	MSIEXEC.EXE
2680	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2020	2220	0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29
PID 2020 wrote to memory of 2680	2020	W2BiH.exe	29

C:\Users\Admin\AppData\Local\Temp\0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fa615422192936a4a63c07f205f04fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\W2BiH.exe
  "C:\Users\Admin\AppData\Local\Temp\W2BiH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/slotsville/Slotsville20120314034536.msi" DDC_DID=210093 DDC_RTGURL=http://www.dlhsetup.eu/dl/TrackSetup/TrackSetup.aspx?DID=210093%26filename=SlotsvilleCasino%2Eexe%26affid=28 DDC_DOWNLOAD_AFFID=28 DDC_UPDATESTATUSURL=http://190.4.91.55:8080/slotsville/Lobby.WebServices/Installer.asmx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="W2BiH.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is11C1.tmp

Filesize
1KB

MD5
d542810d42c545b0ffe65f5301c22a7e

SHA1
c904b733986a8f16b1b2878327e5f9466906af41

SHA256
b903881c99860b1d648f0af73d64b1a5fae4ad272222d229f777f30d477a6747

SHA512
1791f2efbc24ffb54cd04bd1d97ba77cc3bd42f790cbf06d07536a6c855472c71914d7c7c873aae2299274cea99f269a4b661a35363396817754016b57390e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BCF35173-8EB0-4E4D-9BA4-88A9FBA33234}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BCF35173-8EB0-4E4D-9BA4-88A9FBA33234}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~11AF.tmp

Filesize
5KB

MD5
89ed485daa972ac2c626ad1d9ffd13a7

SHA1
ae7959f3481c53a37a3db0402e93388a4efcad23

SHA256
70b5c376c981cf978e5a7443fd1feb466c1a16b6bafbef9e897444ecfe1a8cc0

SHA512
93aa5e60012dfe5c8e8e021c61f847e65bf6981ad77200d9a9479e4f9a4899763439a957eeefe58c631a8821d172b0e5041efa2ed4901ec48e1e4aa3c90024be

Download Submit
\Users\Admin\AppData\Local\Temp\W2BiH.exe

Filesize
1.1MB

MD5
1181879d59404d1d9418f1fbc6504b5d

SHA1
119e8c877b2ab268afd2cf5fcfb55db23c177fe6

SHA256
0ce315128b8adce0aa95371ddaf7d09eb938da0d28919e3c811579a88814fa5e

SHA512
4c7bb15b4bf439d847ed83bc849fab0731012ecde5a0dac8c2bc816080b3cf74315136908c63612aaaac396528cdd2a5cd692ee9cb6529a571a65b4d0a8fa07f

Download Submit