a827aeef1409269f76c80f60250f45b379cd688e6800c14bd767478dcdfdfb75

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
Size

2.1MB
MD5

2bdd82a68c04db9e9f53a02e7314f020
SHA1

e3aa309b76f60d5cf67ab80d683366c4578550d6
SHA256

a827aeef1409269f76c80f60250f45b379cd688e6800c14bd767478dcdfdfb75
SHA512

e45591aef694120d9ec17265ac25e356058c5d7698e8a25a96f3a85fe86315939e2a3bebc2341d45a1f5f69ac8cd4256e1214eb436fff0799a84aca8aac8ba62
SSDEEP

49152:zL/jf/gDmDn/cKy7+gATTC7w94qW0uwGv6umAOKIyZk:zLrfkW/U7X0QZTIyZk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3832	WingSvrs.exe

Loads dropped DLL 17 IoCs

pid	Process
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
3832	WingSvrs.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\WingSearch	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\WingSearch\app = "C:\\Users\\Admin\\AppData\\Roaming\\WingSearch\\"	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 752	4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	87
PID 4132 wrote to memory of 752	4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	87
PID 4132 wrote to memory of 752	4132	2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bdd82a68c04db9e9f53a02e7314f020_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:752

C:\Users\Admin\AppData\Roaming\WingSearch\WingSvrs.exe
C:\Users\Admin\AppData\Roaming\WingSearch\WingSvrs.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
228B

MD5
03fe97e784070d35e5eec3c83c0c4614

SHA1
13341f301b3a8008b83ceab4409b6e700b9abcf7

SHA256
9e541762167af210dc09f2ff060c10b677b9ae3b047a74083b0ccf3d1e61b292

SHA512
694068936fd38a3ba709ca29cc8287a4db67f1644995dbc7a098f708deb3ad1b0fea0a179fca8b7bebf5a2e4d917bf8d17c3030174869d542f7f9c2a9a82c46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\Dialer.dll

Filesize
3KB

MD5
4e6686aece13707435cce60dcb2ab572

SHA1
9bc7bcffa81e19ad315cab0f261e2394b99aa8f4

SHA256
b8bdabefe8360a157f287bf2b672d8d9a0453224a6b377348aa6a98438fccaf2

SHA512
a1936a86e1fd28a0d44e3e2bab4e41d3ebc6322155d47cd64df9d4ec1b3a093872f74f9848d39c6062242ea4f5af69b32e99f06fd892279b2a1a3cc6c1586e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\SelfDelete.dll

Filesize
24KB

MD5
7bf1bd7661385621c7908e36958f582e

SHA1
43242d7731c097e95fb96753c8262609ff929410

SHA256
c0ad2c13d48c9fe62f898da822a5f08be3bf6c4e2c1c7ffdf7634f2ca4a8859e

SHA512
8317af5cc3ac802eb095f3fa8cc71daa1265ca58fead031c07872f3d4bb07663a7002ae734fad392a7617f0923fe0caf1f54ed55afdf8516a6a08e202d86fa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\services.dll

Filesize
7KB

MD5
89408795f143525890bbda9281c42f45

SHA1
bd9f08641cbe86d18c985cea5325dc2ad8525aa6

SHA256
065564c3d7e19e7dea083fb9a426dfdfeabba6ca3a7587bee938f75db5753114

SHA512
ba11a243b97326f6cd12f7f6f8b81e67f7e8f55b5dcf63a7e705813f85c9af1866891770077514051ce153527b074dcba2881b94bdb1925dedc81354e9a84cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\svrreg.dll

Filesize
1.5MB

MD5
9984d4d8a4d912e4a1c34dd9324e2356

SHA1
7693138b480aa2bfae44b3b07649f30e09ae7e62

SHA256
e9133b9aff90f271881fefa99f562fbd2860d874e723f5945e72d04b9d6b2474

SHA512
28cd31da030b0ea13e7b96b1bd3e41f61e4c54fba63c9c650c5409ca669c16698a5610e126dca26d6de61e80d70f01b37183b8a82ccb2a75e54b6e4b6d9799f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgE198.tmp\wingfavi.dll

Filesize
1.6MB

MD5
96c2faa6800f061e2e03f6368b12dad4

SHA1
43a339e298e6786dff59c68d2ab6793fe34bc6a0

SHA256
f5d055f3ec74394ea4e988d9476b00107542bfc40032b6bf99b5662c42c33b98

SHA512
a283c3ebb906f0d6d6b43d4f99da851c9ad6884676da7e9c9dfcd809c4563f1e562e03cde4c9b76e1ad75fb0c784ebcbf5d17a81fdf59d4b99d5d95fcf70111f

Download Submit
C:\Users\Admin\AppData\Roaming\WingSearch\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\AppData\Roaming\WingSearch\WingSvrs.exe

Filesize
10KB

MD5
7b9ed09fa5d96eec6ec2d330b49c5b61

SHA1
e3a7b005ab9b25250e598d85e238db53f755bd8e

SHA256
a48ac4c9801ce568a566f2501552419ac7216e5bb0da7af27571178e1ff6dfed

SHA512
b0f39baf0b8608788a58348d52ad9bf2709c6e1eba67cb65e3926859cc3a84c97b95a58349a6fbbb8dc0feec01baca38518e4f6fc99a4cc9e7b07f92930ea0c6

Download Submit
C:\Users\Admin\Desktop\¿Á¼Ç.URL

Filesize
238B

MD5
e294f0ee894f58708e778046b3415474

SHA1
748be27acc4fb18e03e1e503d54ed8a8749aa171

SHA256
72bc5aa352851eeb9c162fc4aef3580b22b7ada6a6a102758f382886e5376859

SHA512
3763c96203be48853a66b711d65d441ecb753cf63a60aa87683c7a7ffa30ab6e827152085df65dbd660c5d1222148fa0824bc05956ece1b33f2497d4c512c224

Download Submit
C:\Users\Admin\Favorites\´ç½ÅÀÌ Ã£´Â ¸ðµç ½ºÅ¸ÀÏ, ¿Á¼Ç.url

Filesize
262B

MD5
e789c8e52a4be96f621b2e2cadcbfe7e

SHA1
6409aedfc8a7c9d1e95147930396d6ea6e2d6223

SHA256
9492aab731617c16bea6235ce7918c022050d0749faf0191574aaf9f5712a9cd

SHA512
37482dfb48895a40c9421741360f3cc094c99fad36c8ffa047bdb3e876cd4323763c7065b199d1bcb617e7347d0cf491672d57f3f0975778dada3ce063d9e845

Download Submit
C:\Users\Admin\Favorites\µð¾Ø¼¥, ½ÃÁð 2.url

Filesize
258B

MD5
122e029e95b023ae4f17134c00ebebae

SHA1
a244b1ab035c73e887ae61e2799d29a60076872f

SHA256
e3b7db907c73bfa1bd03a121dc1607544ea149e04eefd935aad2476402441816

SHA512
c0b39cf36092997f4d8c0c46166c6d22f410a81375de299e1d629fe1681b0ccb02782187333579ec67ec986a44203b6ad38721a9c2ce148e0e6640e511ff9937

Download Submit
C:\Users\Admin\Favorites\¼îÇÎ ½ºÆ®¸®Æ®, 11¹ø°¡.url

Filesize
254B

MD5
cfa6f19c5465ae4a7745e12815ce2ad9

SHA1
3d3b130d27475ecf1b45b9c940aad47a307d7eff

SHA256
77c57d3f5f9049e15e430457fbbf5fbdf713530335f7e9a57456179046baf19f

SHA512
d5244aba188ef941e1bb3692478d6f6a37d25b15ab0d2f3252a69ce1996b4c2bc3fcde3c17ae635bdf4b576157ca13351391e553cf0a3d979b1940092fdfe72e

Download Submit
memory/4132-17-0x00000000022B0000-0x00000000022CA000-memory.dmp

Filesize
104KB

Download