e4b4cf456761c88ea4b2f19b176a3b51eab830f9edf11f77999a67929d9fadde

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe
Size

191KB
MD5

3a0cb4919c03c151f51b88909b440253
SHA1

29f8b84919a6aa3d014e174d93d46a08595852aa
SHA256

e4b4cf456761c88ea4b2f19b176a3b51eab830f9edf11f77999a67929d9fadde
SHA512

2aff694e76ac9520632b6a33f12ed17e45d50f952b61fa8b870e008438291cee45ba628cc5059d5301c0510acb7ca3a566225dbbe39460d47934a8ab8db789d0
SSDEEP

3072:1j3DlADd0kJs+2RsDdKZgqbUT0sNzQa1GHsFpQ59miZTuP0HHKQV6Iymy6xGrVDQ:1N7VadKZgJT0sNjbFpQ59m62aKgLylrW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	Au_.exe

Loads dropped DLL 9 IoCs

pid	Process
2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe
2600	Au_.exe
2600	Au_.exe
2600	Au_.exe
2600	Au_.exe
2600	Au_.exe
2600	Au_.exe
2600	Au_.exe
2600	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016c7d-2.dat	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	Au_.exe
2600	Au_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	Au_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2600	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30
PID 2436 wrote to memory of 2600	2436	3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a0cb4919c03c151f51b88909b440253_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstBD38.tmp\AllRemover.dll

Filesize
52KB

MD5
c4c0c23f01fc5e2b407e2463e8f5080c

SHA1
7a55985593a6398d1a66883ae5f5929d4d9aee52

SHA256
ff0f59a359c306b0cb0a8ed935e2e1208d3532607c32ab849cccb7a15f09dd3d

SHA512
013232e5b14fae8aa83f1e2541370003911f8c827df8a4e419b0ba1f2c090033c97b2fb589e9e27935a45cda0ccf1a8f1076c3342e940b754845a2cec2a421de

Download Submit
\Users\Admin\AppData\Local\Temp\nstBD38.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nstBD38.tmp\Math.dll

Filesize
14KB

MD5
bc8b9990819748dd57ccf28b73df57fd

SHA1
3e4f4bef94dec5745e49bdedd9c8ee85621d507c

SHA256
f7c310298a938c77b52094280b56da106d00a63705e2cc4b3eb2a730be01ade4

SHA512
fbeed46e079ae36ae26b655b3bae0cecd89181c8919b4a3aa03d4b32e3a8e365be0ab8df7ffa6e08576e4b8d797edc88a619e21af1d0d7df822250e2ffd3e57b

Download Submit
\Users\Admin\AppData\Local\Temp\nstBD38.tmp\System.dll

Filesize
10KB

MD5
0c8ea8e6637bbf8408104e672d78ba45

SHA1
c231c7acaf9abb7da93f28e1b71bed164d57103e

SHA256
509a93177a7ae130bc3b6b5ec3236c7aa0811b8b86f8ab3442c65fdf8ff85b1f

SHA512
ee763a3cdbbba3b28e6a903ac942c7228bd8e54b19de21d6187e481f2916d833d9b9800e5ac2998f4aa26274cdfb20a8bfdd10f00f2a15d37bcc529b617e1f28

Download Submit
\Users\Admin\AppData\Local\Temp\nstBD38.tmp\WebBrowserNavigate.dll

Filesize
180KB

MD5
2e50f8f24ebbf06cfe2a48a997dfeb05

SHA1
e019b61713e874f96fd608d47e57d3663f688c5a

SHA256
4d51779da2b3ecd55a8af6b8178ca429bf95b41ca17ce50bb02b681f9ea6d51a

SHA512
73b26668a8f1a2e81915748ceed195a5ded9839578f5c114bdbd216692f646a21344230ab694eb26bd644e1d9a780c71db5d2bba8f92d33389873a5ed87c9420

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
191KB

MD5
3a0cb4919c03c151f51b88909b440253

SHA1
29f8b84919a6aa3d014e174d93d46a08595852aa

SHA256
e4b4cf456761c88ea4b2f19b176a3b51eab830f9edf11f77999a67929d9fadde

SHA512
2aff694e76ac9520632b6a33f12ed17e45d50f952b61fa8b870e008438291cee45ba628cc5059d5301c0510acb7ca3a566225dbbe39460d47934a8ab8db789d0

Download Submit