ccc75ee30e31cdfe33c78d3dcd68a9a766860878e467eff42211e4ac629f4e0e

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe
Size

205KB
MD5

19c667e4ac9cd9c264c3959a9ad63230
SHA1

98414bd2b2b17532b2266235712b5676d1b5e9d0
SHA256

ccc75ee30e31cdfe33c78d3dcd68a9a766860878e467eff42211e4ac629f4e0e
SHA512

efb166a8b917103ada4684ecad9f7a111d86fd3e7bb5304b59eaa0ee57ead688024893fc3200d6a962bd76289acf78738b099ed3a253576564d025ba31748ef4
SSDEEP

6144:4e34Tb/N8grWyS/36rFF5pLvnVAsvp1EUXZgrOsqYLCd:YbqyK3677VAszEUJVd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe
2364	Au_.exe
2364	Au_.exe
2364	Au_.exe
2364	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b000000014198-2.dat	nsis_installer_1
behavioral1/files/0x000b000000014198-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2364	2424	19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19c667e4ac9cd9c264c3959a9ad63230_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst1298.tmp\ioSpecial.ini

Filesize
574B

MD5
d7932da058d6de19d5c52fc4a563f4fb

SHA1
4210e118dab9a7907a317fa5872568fbce927fde

SHA256
d7964898ec8d5004afec3bc867a9961a73dabd688fe2eb9e5686f61ed2910b15

SHA512
5546bd798ef674c1f965ed7bd9b98596210952264cd59266eedbff0be5901679d173b8413672e7c652059d415e3347fdc6b99fc9aedb4a6a2c867c54def00a74

Download Submit
\Users\Admin\AppData\Local\Temp\nst1298.tmp\InstallOptions.dll

Filesize
14KB

MD5
eef9e469e8a30717974499f277d97e2a

SHA1
2d33c25984ebd9116beeb55cdde4c5c86c023e5d

SHA256
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

SHA512
d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
205KB

MD5
19c667e4ac9cd9c264c3959a9ad63230

SHA1
98414bd2b2b17532b2266235712b5676d1b5e9d0

SHA256
ccc75ee30e31cdfe33c78d3dcd68a9a766860878e467eff42211e4ac629f4e0e

SHA512
efb166a8b917103ada4684ecad9f7a111d86fd3e7bb5304b59eaa0ee57ead688024893fc3200d6a962bd76289acf78738b099ed3a253576564d025ba31748ef4

Download Submit