7d61f084f43e4f3219c6d43910b998693703c16bee64d6553b07c7d894c616e7

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe
Size

121KB
MD5

a202f186f53fd1968bae80ebd5042c65
SHA1

5ae007bf528f99111a27e708b4213047e9c656c8
SHA256

7d61f084f43e4f3219c6d43910b998693703c16bee64d6553b07c7d894c616e7
SHA512

1de52fde7c3ffc950079a3b4998584b3dbe7ea12b103374f89feee3297bf6bbdd0a6b2bdc5e7eca49b67d273d52c423559df84da035afac88bbdef594dbbc38b
SSDEEP

3072:ZLk395hYXJnceADRRD2xMKdWanB5u9+nleepEcB94p:ZQq1mDRZRwB1eepEcBw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1580	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe
1580	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000015d7b-2.dat	nsis_installer_1
behavioral1/files/0x0008000000015d7b-2.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1580	Au_.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1580	2388	a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe	30
PID 2388 wrote to memory of 1580	2388	a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe	30
PID 2388 wrote to memory of 1580	2388	a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe	30
PID 2388 wrote to memory of 1580	2388	a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a202f186f53fd1968bae80ebd5042c65_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsoAE2B.tmp\NSISList.dll

Filesize
97KB

MD5
2e0785f18f8714393bc4bc1fe170eadf

SHA1
1efba431c0fac46c6cb6f60dc08f65a0e23ccf3d

SHA256
e68d65626b24e7c1f6fbe1001f43174d0243095181025736f37ad704662f4351

SHA512
8a272bb264fa066960a4f34411a81652839eccdbc6fa25be20c0b94d7d10b16cb568338abb5d1a96c155cbc4bc7923d0387fa36bed69c1021296cc6cc5fbb45e

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
121KB

MD5
a202f186f53fd1968bae80ebd5042c65

SHA1
5ae007bf528f99111a27e708b4213047e9c656c8

SHA256
7d61f084f43e4f3219c6d43910b998693703c16bee64d6553b07c7d894c616e7

SHA512
1de52fde7c3ffc950079a3b4998584b3dbe7ea12b103374f89feee3297bf6bbdd0a6b2bdc5e7eca49b67d273d52c423559df84da035afac88bbdef594dbbc38b

Download Submit
memory/1580-11-0x0000000000590000-0x00000000005AD000-memory.dmp

Filesize
116KB

Download