0534bd590fba16ba535feaa26babf7dd209ab721ade2c11ffbd26dd44712015a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe
Size

1.7MB
MD5

2852ab3974259e76c50747b1982d74c8
SHA1

069fdba2f3f3249c9552a58b820f26d9e7a79a2f
SHA256

0534bd590fba16ba535feaa26babf7dd209ab721ade2c11ffbd26dd44712015a
SHA512

d78c52e5a7abcd9b28a5c4e6dcbe7b51e87ca4673e0aea8396aa8a9de6ef9b959ea69b939ccd5661f308746f79c0fddb18525e93128ae0d49b3610ae0cb40ecb
SSDEEP

24576:qmfQ/C9e3rJ26ysOflZVk77yhLqboLnfGwgshmIicY2sik7qTGTS5Ebk1ocTeBKX:/z92QjLfGaMFEqUQkpeBrQVDrg6mV8

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	mirc632.exe

Loads dropped DLL 7 IoCs

pid	Process
1928	2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe
3020	mirc632.exe
3020	mirc632.exe
3020	mirc632.exe
3020	mirc632.exe
3020	mirc632.exe
3020	mirc632.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mirc632.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000014aae-1.dat	nsis_installer_1
behavioral1/files/0x0008000000014aae-1.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	mirc632.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3020	1928	2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe	28
PID 1928 wrote to memory of 3020	1928	2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe	28
PID 1928 wrote to memory of 3020	1928	2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe	28
PID 1928 wrote to memory of 3020	1928	2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2852ab3974259e76c50747b1982d74c8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\mirc632.exe
  "C:\Users\Admin\AppData\Local\Temp\mirc632.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd5063.tmp\ioSpecial.ini

Filesize
686B

MD5
b650c88366d4d7e0812f74ae654cb43b

SHA1
f91fbc66c7c57463d351cd5ef2e4a569088606e9

SHA256
195fbcbe21fb1de3999279d334e0a7277ae94ed55d0af66cc7b0d2f92afe6fd8

SHA512
9996087c591fd2b469ad0d1fbc12570a6310b364bddd994da2979bb467e6a9275792c3cbcb238b519dbaf7d5d339f56e8e0a588bc085be2f1e265ec51475fe27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5063.tmp\ioSpecial.ini

Filesize
725B

MD5
ce371c5015aead0a3d0bda7bcfe2ee7e

SHA1
0a3c7c1415cdad6954438dae28f78e9005fcf1d1

SHA256
6c37e8e6ea65279b92e7de0f28f59b7f0c402cae11e61b0a1a62a1ed523a159c

SHA512
23c923d89bdb3ae7da0f76b7cd85afa89c9562832a0e1c1a656a738a6fe675e0da9031ab633dc2cee24a2189595e00add73503ff6dc972bc3ea09a411f87c2ef

Download Submit
\Users\Admin\AppData\Local\Temp\mirc632.exe

Filesize
1.6MB

MD5
7d7b3d9e516b27c38d1f320a8a70315a

SHA1
d5a5731edf9b9da888418248284e904e9c47a008

SHA256
ca8002ef56a72e454b638ce4d43eafddeeefb84d8b9c88ef251ed622a7ba18ab

SHA512
f73df64a3a8ded18cd2774ae251eacddbddc59d3f1f7b86936e67a2bc6744a70346dd0a0fb7e3d8b53ca72c4455e85350512c083a62e2f4b62e2e6e162cba60b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5063.tmp\AccessControl.dll

Filesize
9KB

MD5
ac426cc4fb1fd52e45333a26d0c0c173

SHA1
aefeb4520503670ec19043f30b52515515bddaca

SHA256
dcd93abe74c1b1191dce90b5764bb9acba1e5d17845ebc26a016ff888c14c1a8

SHA512
1e959012d70c5ca52853b5ffe9032aac1b2569c6875274e494fc9692654eb1c9ebf2d34f2aa8fe99b0a870c00d937826c36c1c4073c9cb53cb1c7697514b897d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5063.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5063.tmp\System.dll

Filesize
10KB

MD5
32465a07028b927b22c38e642c2cb836

SHA1
309cac412b2ecf6a36f6e989c828afcdd8c7a6e4

SHA256
eda545d4dcb37098a90fce9692d5094bb56897f04eff6d40e3dedd122a4d1292

SHA512
9d886a722bbbb5d8d77e97d256057fe685f1932042257a8382e13548fe835d01c64de65e2b5ad2c2ff99692b14c924e6ddb84797f6224f1772e8699b421e6aff

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5063.tmp\UAC.dll

Filesize
14KB

MD5
b7d7324f2128531c9777d837516b65a6

SHA1
e15e44fc7c907329e1cd3985e8666b4332f4fa48

SHA256
530dc2b26366fc86072487438317a5723a10ff8b38522f9e813df19146a31033

SHA512
829fc241cd377de094faf80bb38828c3d877170ca4a3fd85810bc911d2ce38941f8067ef681c21d8bbc04be8a99a3d32b3aec51ae7b32d3a89e5a9d9597ed8d5

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5063.tmp\mIRC.dll

Filesize
30KB

MD5
8423ec692d326f92dfa7db57f977d315

SHA1
65fd701692fab6dfe24ba0fa2b29e474b6f5da56

SHA256
0d1218f43e2b5b0d4e052918b5193e7e050bb9f0a9bfc39f7395276b8399b50e

SHA512
fbb0f057dc192362584efbbb5e0c9c6fa56584580b3190aba83017905a50b9b3f54aa535281eac34f4a07538a4ddee822d974cb512b4afe28e15b504376102fd

Download Submit