e1df30f5edb94abea6eafaef131110aa4cc618654d487965568d123128453ea9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
Size

6.8MB
MD5

b6dca8a59510ffa1a893eeef55993650
SHA1

9869d24e143272040eff860f87ce1a99b6097c8a
SHA256

e1df30f5edb94abea6eafaef131110aa4cc618654d487965568d123128453ea9
SHA512

1b09fb36995a7e89e04c236070479c278a6e54681eea846e4b2e9398ce63d2323e61cf331443bffdcbb819ed25033ee3102d8ade2bfafbc9c1b849bd22d93f95
SSDEEP

196608:HBTBZ2d1eaCF/dwTrhKheWlWJq/3Ft9uqjrh39SAsI:HBT3I2yTdKheGaq/3Bu2NS5I

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a473-15.dat	acprotect

Executes dropped EXE 12 IoCs

pid	Process
2764	hghacker6.exe
2644	hghacker6.exe
2628	hghacker6.exe
1576	hghacker6.exe
2440	hghacker6.exe
832	hghacker6.exe
588	hghacker6.exe
1748	hghacker6.exe
2964	hghacker6.exe
1288	hghacker6.exe
3016	hghacker6.exe
1516	hghacker6.exe

Loads dropped DLL 49 IoCs

pid	Process
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-0-0x0000000000400000-0x000000000051E000-memory.dmp	upx
behavioral1/files/0x000500000001a473-15.dat	upx
behavioral1/memory/2544-17-0x0000000002860000-0x00000000028CA000-memory.dmp	upx
behavioral1/memory/2544-215-0x0000000000400000-0x000000000051E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2764	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2764	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2764	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2764	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	31
PID 2544 wrote to memory of 2644	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2644	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2644	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2644	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	32
PID 2544 wrote to memory of 2628	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2628	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2628	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2628	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	33
PID 2544 wrote to memory of 2440	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2440	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2440	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	34
PID 2544 wrote to memory of 2440	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	34
PID 2544 wrote to memory of 1576	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	35
PID 2544 wrote to memory of 1576	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	35
PID 2544 wrote to memory of 1576	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	35
PID 2544 wrote to memory of 1576	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	35
PID 2544 wrote to memory of 588	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	36
PID 2544 wrote to memory of 588	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	36
PID 2544 wrote to memory of 588	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	36
PID 2544 wrote to memory of 588	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	36
PID 2544 wrote to memory of 832	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	37
PID 2544 wrote to memory of 832	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	37
PID 2544 wrote to memory of 832	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	37
PID 2544 wrote to memory of 832	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	37
PID 2544 wrote to memory of 2964	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	38
PID 2544 wrote to memory of 2964	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	38
PID 2544 wrote to memory of 2964	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	38
PID 2544 wrote to memory of 2964	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	38
PID 2544 wrote to memory of 1748	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	39
PID 2544 wrote to memory of 1748	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	39
PID 2544 wrote to memory of 1748	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	39
PID 2544 wrote to memory of 1748	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	39
PID 2544 wrote to memory of 3016	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	40
PID 2544 wrote to memory of 3016	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	40
PID 2544 wrote to memory of 3016	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	40
PID 2544 wrote to memory of 3016	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	40
PID 2544 wrote to memory of 1288	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	41
PID 2544 wrote to memory of 1288	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	41
PID 2544 wrote to memory of 1288	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	41
PID 2544 wrote to memory of 1288	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	41
PID 2544 wrote to memory of 1516	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	42
PID 2544 wrote to memory of 1516	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	42
PID 2544 wrote to memory of 1516	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	42
PID 2544 wrote to memory of 1516	2544	b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe	42

C:\Users\Admin\AppData\Local\Temp\b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6dca8a59510ffa1a893eeef55993650_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 1.dll
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 2.dll
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 3.dll
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 4.dll
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 5.dll
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 6.dll
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 7.dll
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 8.dll
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 9.dll
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 10.dll
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 11.dll
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe
  "C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe" filldelete 12.dll
  2⤵
  - Executes dropped EXE
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MMBPlayer\1.dll

Filesize
256KB

MD5
ec87a838931d4d5d2e94a04644788a55

SHA1
2e000fa7e85759c7f4c254d4d9c33ef481e459a7

SHA256
8a39d2abd3999ab73c34db2476849cddf303ce389b35826850f9a700589b4a90

SHA512
9dd0c30167fbeaf68dfbbad8e1af552a7a1fcae120b6e04f1b41fa76c76d5a78922ff828f5cffd8c02965cde57d63dcbfb4c479b3cb49c9d8107a7d5244e9d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\11.dll

Filesize
3.6MB

MD5
350d4f8f5d6c4f3c5399942732ff4d22

SHA1
6f05ab35e66a2057ae52c0a49b376b371c7ef406

SHA256
ef39a8979c5ebbc6b86d22952b5dc213b742aa5bf3b0d5ef1cab359481a97d60

SHA512
e635e931bee7ec86194dcec816493af7caa219a1d776add5d8b4edc3ece7d081ada10f852648e4ddaec181edcbaec7a1251d175d49829ecf77fdb81567dc1c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\2.dll

Filesize
192KB

MD5
ef2e0d18474b2151ef5876b1e89c2f1d

SHA1
aef9802fcf76c67d695bc77322bae5400d3bbe82

SHA256
3381de4ca9f3a477f25989dfc8b744e7916046b7aa369f61a9a2f7dc0963ec9e

SHA512
e81185705a3bd73645bf2b190bbf3aee060c1c72f98fa39665f254a755b0a5723ce8296422874eb50c7b5e8d6bcd90175b0ba28061221039172a3f50e8902cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\4.dll

Filesize
320KB

MD5
1aca77e2188f52a62674fe8a873bdaba

SHA1
bafcbe972b6e69cd415ded38cb995f1bca983929

SHA256
dae4d3dce1bb0a9414f61a65ee07622fa225ec01e6efe6df6e78f9ad5c58480d

SHA512
57dedadf3db382d2139a88424ffa44482f1a70f12e8ce74b1656b1243b06a0f11f604155e9076e1dae31735b5d621e2d8e4e352fb220f12124c630b7f9329a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\5.dll

Filesize
1.1MB

MD5
7fb23959f1765b70c3afe135aca2406c

SHA1
171d70a7e4dc201210b7b16b7af02dfa80e4f924

SHA256
f1295e11a9e904f62008f50df5da2a0c3a89d90ffb9c445ae11789704413d396

SHA512
05d9ae742ef748c190ca044f1ebfb6b57d61423402f1ad6dbc52c4a5e4297ffbeb76d1b6b2e2ccbc53db286f7eb6436cdec5c03d2984c0e70b92a8e6aa9039f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\6.dll

Filesize
960KB

MD5
63a6c5a8b8da92e30cd0ef23c56d4f06

SHA1
b029e4a16d1490fe4f6eebf6a0867e303948e7e5

SHA256
ca02793076b8845454d3cc4d949bda5bc49fe16d063e310331f86318ed644ba7

SHA512
82e2f8b9ecf51cd318acbd32df95dd9c5a6db4f16b7b0179ef5ecfc9b47aa0648aaa2f328c780569c73e6cd4a8fe8e183df3a8eda99d3087a94c4170d5ec8d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMBPlayer\hghacker6.exe

Filesize
57KB

MD5
7786f5cf67f571c6d79aa263e4ad9d21

SHA1
8953e4ab6c77592269936a274877a8017b35e25e

SHA256
3c32b0a646fbb805e098a5f39536b0386cff38d3157a286e985d9d7ac08c5b15

SHA512
0c70421b1dc3f7a9a84c0fc91cf099b5bf16c86b0cc38d70add84d72642918a51c5c4d6304c07441da6e594abc74fbc5663b2934aadff1b7ce6dd375f63da1dc

Download Submit
\Users\Admin\AppData\Local\Temp\MMBPlayer\MMBMisc.dll

Filesize
160KB

MD5
aac005d1197cba6c0f9a725c889d489d

SHA1
b31f7126dd1aea03d58cd33a6b9a49685471a5e2

SHA256
a584007ac2173048bb8f6e94022b661dc955105d39fcb206d7df339abfee661d

SHA512
b88331674f869221724361afcb687d4104ce9381f074b67816af13110365e2ff055d5e31638e868c1d5ca0c871d87da69fb6eba3daca097b104ed9ccf0a89e8f

Download Submit
memory/2544-0-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/2544-17-0x0000000002860000-0x00000000028CA000-memory.dmp

Filesize
424KB

Download
memory/2544-215-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download