Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/08/2024, 07:23 UTC

General

  • Target

    897ebbd4c1390a48bcd17b6a79eae49b_JaffaCakes118.exe

  • Size

    807KB

  • MD5

    897ebbd4c1390a48bcd17b6a79eae49b

  • SHA1

    518744c5a68cb2871eed78f45ce7405bda4b93c4

  • SHA256

    9447041d2e74175bf1aeb7437703a01e6badfd76dc355c51048b79b517755135

  • SHA512

    e15fe7ca7c7bf173998cc66216142f35ba669e4d46be2cd5b09b954df83236daacb3af76f5d0d0522e928292402492130d01aef1b6ca62c9606954de6a5614a2

  • SSDEEP

    24576:9AlGUjsjkycf3Eo631bJd5A8uvKxsLvKRyvKiHPdt6:9cjs23EowbSDvKevKRyvKivdt6

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 33 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\897ebbd4c1390a48bcd17b6a79eae49b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\897ebbd4c1390a48bcd17b6a79eae49b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\nsy80B5.tmp\dllstub.exe
      C:\Users\Admin\AppData\Local\Temp\nsy80B5.tmp\dllstub.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~8512~5592~~URL Parts Error~~SendRequest Error~46-05-CC-59-11-A3~#~~SendRequest Error~~IE~~
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2940

Network

  • flag-us
    DNS
    www.dlappzonenorth.com
    897ebbd4c1390a48bcd17b6a79eae49b_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.dlappzonenorth.com
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.dlappzonenorth.com
    dns
    897ebbd4c1390a48bcd17b6a79eae49b_JaffaCakes118.exe
    68 B
    141 B
    1
    1

    DNS Request

    www.dlappzonenorth.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\GetVersion.dll

    Filesize

    6KB

    MD5

    5264f7d6d89d1dc04955cfb391798446

    SHA1

    211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

    SHA256

    7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

    SHA512

    80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\Math.dll

    Filesize

    66KB

    MD5

    b140459077c7c39be4bef249c2f84535

    SHA1

    c56498241c2ddafb01961596da16d08d1b11cd35

    SHA256

    0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

    SHA512

    fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\System.dll

    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\UserInfo.dll

    Filesize

    4KB

    MD5

    7579ade7ae1747a31960a228ce02e666

    SHA1

    8ec8571a296737e819dcf86353a43fcf8ec63351

    SHA256

    564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

    SHA512

    a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\dllstub.exe

    Filesize

    124KB

    MD5

    f67aa69c6f6edc8cbe1ac1dbd946f103

    SHA1

    e03f83f361046e5b959243e49538e2250ece8249

    SHA256

    d15d7b654ffcf244b7ed023a2dd73d3869500d111ad3e6c024a83a4f8c0f5a9f

    SHA512

    8f82b43b2ba3fed03f157f332034fd3096b4cfd872e21d16d874991394b3879ee2f6c122419cb1f2a80dc71838dbdce672d20f0130cf73768d5a40f2cf69ad22

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\intlib.dll

    Filesize

    24KB

    MD5

    1efbbf5a54eb145a1a422046fd8dfb2c

    SHA1

    ec4efd0a95bb72fd4cf47423647e33e5a3fddf26

    SHA256

    983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341

    SHA512

    7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

  • \Users\Admin\AppData\Local\Temp\nsy80B5.tmp\registry.dll

    Filesize

    16KB

    MD5

    24a7a119e289f1b5b69f3d6cf258db7c

    SHA1

    fec84298f9819adf155fcf4e9e57dd402636c177

    SHA256

    ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1

    SHA512

    fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

  • memory/1620-56-0x0000000000970000-0x000000000098A000-memory.dmp

    Filesize

    104KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.