Overview
overview
7Static
static
33a52ac14c6...18.exe
windows7-x64
73a52ac14c6...18.exe
windows10-2004-x64
7$PLUGINSDI...am.dll
windows7-x64
3$PLUGINSDI...am.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
1$PLUGINSDI...ns.dll
windows10-2004-x64
1$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
1$PLUGINSDI...LL.dll
windows10-2004-x64
1$PLUGINSDI...te.dll
windows7-x64
1$PLUGINSDI...te.dll
windows10-2004-x64
1$PLUGINSDI...nd.dll
windows7-x64
3$PLUGINSDI...nd.dll
windows10-2004-x64
3$PLUGINSDIR/stack.dll
windows7-x64
3$PLUGINSDIR/stack.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...am.dll
windows7-x64
3$PLUGINSDI...am.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
1$PLUGINSDI...ns.dll
windows10-2004-x64
1$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
1$PLUGINSDI...LL.dll
windows10-2004-x64
1$PLUGINSDI...te.dll
windows7-x64
1$PLUGINSDI...te.dll
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11/07/2024, 18:45
Static task
static1
Behavioral task
behavioral1
Sample
3a52ac14c60c65991d37626910e92329_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3a52ac14c60c65991d37626910e92329_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/processes_second.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/processes_second.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/stack.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/stack.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
Uninstall.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win10v2004-20240709-en
General
-
Target
Uninstall.exe
-
Size
126KB
-
MD5
6313c988b270390dc13bfe5ed2f1c7a2
-
SHA1
5722a42f8f546fd541f0041aaaff94316b1e429c
-
SHA256
71a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf
-
SHA512
0cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178
-
SSDEEP
3072:qgXdZt9P6D3XJQ4+ByBCK5RfoCfpIhCxcE6rF60qf:qe34mpByBCeRug6rFpk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1660 Au_.exe -
Loads dropped DLL 5 IoCs
pid Process 2392 Uninstall.exe 1660 Au_.exe 1660 Au_.exe 1660 Au_.exe 1660 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral19/files/0x00050000000194d1-2.dat nsis_installer_1 behavioral19/files/0x00050000000194d1-2.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1660 Au_.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30 PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30 PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30 PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30 PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30 PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30 PID 2392 wrote to memory of 1660 2392 Uninstall.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
586B
MD592274856bbb29a0d07c16cee4d39b94a
SHA12cafcaf139f554b5e6c4ea72fef28c1c3641e7f8
SHA256f92563d8f87026de4644cca8ac86b0f1d911990869c2ec78514e6cd0e857afc8
SHA5122e684ef9f47a63c2347316e5e8bfad1aef674b9b15eee70c20224980874df25bf7b78468d2249c125e62341b7a8cad13427471ab486bf578fb054a2dd319c1eb
-
Filesize
625B
MD548dbbdde7131c51cf7495e35c28ce157
SHA16a7d6dba3fefa1c21b4f0f697c5a007ab20bf786
SHA256829069b51f7fe34a15cfde2f63d252c87136aa44b8b80c7c10f9a13e14edecaf
SHA5128a7e536d902537682e3fabef51da0436d1527ed2ab1eb084083d25b340babeb1ae6492a090644c893a6cd73acc60049a19c4a8b38a9347106fa668200565a654
-
Filesize
14KB
MD5eef9e469e8a30717974499f277d97e2a
SHA12d33c25984ebd9116beeb55cdde4c5c86c023e5d
SHA2561f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
SHA512d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48
-
Filesize
126KB
MD56313c988b270390dc13bfe5ed2f1c7a2
SHA15722a42f8f546fd541f0041aaaff94316b1e429c
SHA25671a4a74e6d5718ce17f714896d620ee247dbc423c4400e7191c33bea50e59aaf
SHA5120cd6d2ea7c48a22a3a6797c93fc94214f818389cfb42633f6594d017adc76c9c3d553fcadab2b155472ab3b9c65095acd60ff89657086aea357969fec5e86178