a7a2a6db50d4cc885b8cc6c57f5174aba6ff42d65f4b9fadd664fe11bc694174

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe
Size

191KB
MD5

5d2448b4a3beaba11df91e705266cc98
SHA1

aafd970f02ada9b0335ad9e3707d0d8ebd5b4e4e
SHA256

a7a2a6db50d4cc885b8cc6c57f5174aba6ff42d65f4b9fadd664fe11bc694174
SHA512

10916ce50b030a60c9b27e6f87eb7056cb2c74a07020f7862583bef7c95c609af68daf4217094c5a9b8c60f65eaece2809429b5cd4789ecc18e3409da981f086
SSDEEP

3072:1j3DlADd0kJs+2RsDtLZgqbUT0sNzQa1GHsFpQ59miZTuP0HHKQV6Iymy6xGrVDU:1N7VatLZgJT0sNjbFpQ59m62aKgLylrG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1652	Au_.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	Au_.exe

Loads dropped DLL 9 IoCs

pid	Process
1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe
1652	Au_.exe
1652	Au_.exe
1652	Au_.exe
1652	Au_.exe
1652	Au_.exe
1652	Au_.exe
1652	Au_.exe
1652	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016c31-2.dat	nsis_installer_1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	Au_.exe
1652	Au_.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1652	Au_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1652	Au_.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30
PID 1912 wrote to memory of 1652	1912	5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d2448b4a3beaba11df91e705266cc98_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoADDD.tmp\AllRemover.dll

Filesize
52KB

MD5
c4c0c23f01fc5e2b407e2463e8f5080c

SHA1
7a55985593a6398d1a66883ae5f5929d4d9aee52

SHA256
ff0f59a359c306b0cb0a8ed935e2e1208d3532607c32ab849cccb7a15f09dd3d

SHA512
013232e5b14fae8aa83f1e2541370003911f8c827df8a4e419b0ba1f2c090033c97b2fb589e9e27935a45cda0ccf1a8f1076c3342e940b754845a2cec2a421de

Download Submit
\Users\Admin\AppData\Local\Temp\nsoADDD.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoADDD.tmp\Math.dll

Filesize
14KB

MD5
bc8b9990819748dd57ccf28b73df57fd

SHA1
3e4f4bef94dec5745e49bdedd9c8ee85621d507c

SHA256
f7c310298a938c77b52094280b56da106d00a63705e2cc4b3eb2a730be01ade4

SHA512
fbeed46e079ae36ae26b655b3bae0cecd89181c8919b4a3aa03d4b32e3a8e365be0ab8df7ffa6e08576e4b8d797edc88a619e21af1d0d7df822250e2ffd3e57b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoADDD.tmp\System.dll

Filesize
10KB

MD5
0c8ea8e6637bbf8408104e672d78ba45

SHA1
c231c7acaf9abb7da93f28e1b71bed164d57103e

SHA256
509a93177a7ae130bc3b6b5ec3236c7aa0811b8b86f8ab3442c65fdf8ff85b1f

SHA512
ee763a3cdbbba3b28e6a903ac942c7228bd8e54b19de21d6187e481f2916d833d9b9800e5ac2998f4aa26274cdfb20a8bfdd10f00f2a15d37bcc529b617e1f28

Download Submit
\Users\Admin\AppData\Local\Temp\nsoADDD.tmp\WebBrowserNavigate.dll

Filesize
180KB

MD5
2e50f8f24ebbf06cfe2a48a997dfeb05

SHA1
e019b61713e874f96fd608d47e57d3663f688c5a

SHA256
4d51779da2b3ecd55a8af6b8178ca429bf95b41ca17ce50bb02b681f9ea6d51a

SHA512
73b26668a8f1a2e81915748ceed195a5ded9839578f5c114bdbd216692f646a21344230ab694eb26bd644e1d9a780c71db5d2bba8f92d33389873a5ed87c9420

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
191KB

MD5
5d2448b4a3beaba11df91e705266cc98

SHA1
aafd970f02ada9b0335ad9e3707d0d8ebd5b4e4e

SHA256
a7a2a6db50d4cc885b8cc6c57f5174aba6ff42d65f4b9fadd664fe11bc694174

SHA512
10916ce50b030a60c9b27e6f87eb7056cb2c74a07020f7862583bef7c95c609af68daf4217094c5a9b8c60f65eaece2809429b5cd4789ecc18e3409da981f086

Download Submit