e7e47b92277e67a612b1945d474bc3a74f84072e71dc05d53654d5859e2bf2e2

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 09:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
Size

77KB
MD5

5b52e1f220690085370fa4e6c3fa700f
SHA1

e79374ccffcffc13553e7e90b0e8fadc28e5e4f0
SHA256

e7e47b92277e67a612b1945d474bc3a74f84072e71dc05d53654d5859e2bf2e2
SHA512

c86843ee29923d39eeb7f092036cf8f12cc1a97076b75cb7e36ffe907c7f2b66460d2c23b4ff177974eea63d52c63e718e19b860ea56b8c08b90fc261cfa0c11
SSDEEP

1536:E5JeZFIF5l3I3CbUqdhV9eYmjyRDuzOUhKAfckJWWuOIHZ:E5wTIFT3uC/izjyRDxUhKAfckJvup5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
2760	Au_.exe

Loads dropped DLL 9 IoCs

pid	Process
2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
2760	Au_.exe
2760	Au_.exe
2760	Au_.exe
2760	Au_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\microsoft shared\ink\flicklearningwizard.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\mip.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\ink\tabtip.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\chrome_proxy.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jarsigner.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jsadebugd.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\7-zip\7z.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\apt.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\idlj.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\java-rmi.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jinfo.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\policytool.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\106.0.5249.119\elevation_service.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jvisualvm.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\rmid.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\rmid.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\chrome.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\javac.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\javah.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\javah.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\javaws.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\jsadebugd.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\chrome.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\application\106.0.5249.119\installer\chrmstp.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\javadoc.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\7-zip\7zg.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\internet explorer\ielowutil.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\apt.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\jinfo.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jstack.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\ktab.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\ktab.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\106.0.5249.119\chrome_pwa_launcher.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\106.0.5249.119\notification_helper.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\appletviewer.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\extcheck.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\idlj.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\jstatd.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\klist.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\vstoinstaller.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\application\106.0.5249.119\chrome_pwa_launcher.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\application\chrome_proxy.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\appletviewer.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jstack.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\keytool.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\mip.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\native2ascii.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\tabtip.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\application\chrome_proxy.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\jconsole.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\kinit.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\7-zip\7z.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\vsto\10.0\vstoinstaller.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jmc.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\native2ascii.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\orbd.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\7-zip\uninstall.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\7-zip\uninstall.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\dvd maker\dvdmaker.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\internet explorer\iediagcmd.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File created	\??\c:\program files\java\jdk1.7.0_80\bin\jabswitch.exe	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\java-rmi.exe.txt	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000012115-1.dat	nsis_installer_1

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	Au_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2780	2776	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31
PID 2780 wrote to memory of 2760	2780	5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe	31

C:\Users\Admin\AppData\Local\Temp\5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
  C:\Users\Admin\AppData\Local\Temp\5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
575KB

MD5
5669469189ff3b63a1893a27c1e44e02

SHA1
16f1f2c7c79de158e3e216142b27c5e9852a2144

SHA256
2efeca5e1be2d64834979cb20cca1d68dc7c16ec8dfc60006d2c4ff324261d55

SHA512
72f5a265ff705f96f038b13b69653b4dc03259bdfd1656031f1ed8e88e0435419d6308b918ac823e03d2b346923243cadc45419141b1c34820d88315e3a6e708

Download Submit
\Users\Admin\AppData\Local\Temp\5b52e1f220690085370fa4e6c3fa700f_JaffaCakes118.exe.exe

Filesize
46KB

MD5
ebf2a2a3104f03570f88b002b539b4ce

SHA1
a6e78d3159829aa436922a003b8cf8164e9dfadd

SHA256
dd86467e7b4314f34c0d43f55c9a6d90f513bd8e9bb435f17fb0f773df6e3752

SHA512
97314449c8503cdfe720afd0dd0c6aa060e3e68d69701497f8083e47c758c7acc544cacdf68aa0bdf9c4f25e9c18b683dbb035cbf93af7cd88a2e5bba887949d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy236A.tmp\LangDLL.dll

Filesize
5KB

MD5
462dc0d8abebaa425c7808e696ad5a4d

SHA1
db041b23fa77e1658d6c113fa73f4692a9168979

SHA256
faf49e3e51562992570a1b468b18bd6c2c0f9fc2904e3136ca7aaf2a12ad9ac0

SHA512
d1b77873251fa438f8fbebcd94820ba18c236d7f2ac4be85ae503fe6cac90544f889ef4facbca6f8b09c99c7f610a2d0a8aaa88505fce6df1f9b7d8b5eba3f83

Download Submit
memory/2776-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2776-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download