Overview
overview
7Static
static
3c03424595a...18.exe
windows7-x64
7c03424595a...18.exe
windows10-2004-x64
7$PLUGINSDI...am.dll
windows7-x64
3$PLUGINSDI...am.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...te.dll
windows7-x64
3$PLUGINSDI...te.dll
windows10-2004-x64
3$PLUGINSDI...nd.dll
windows7-x64
3$PLUGINSDI...nd.dll
windows10-2004-x64
3$PLUGINSDIR/stack.dll
windows7-x64
3$PLUGINSDIR/stack.dll
windows10-2004-x64
3RClean.exe
windows7-x64
6RClean.exe
windows10-2004-x64
6RCleanT.exe
windows7-x64
3RCleanT.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...am.dll
windows7-x64
3$PLUGINSDI...am.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
c03424595ab2bf4310e27fef69eb3254_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c03424595ab2bf4310e27fef69eb3254_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/processes_second.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/processes_second.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/stack.dll
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/stack.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
RClean.exe
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
RClean.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
RCleanT.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
RCleanT.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Uninstall.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
Uninstall.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/DLLWebCount_new.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
General
-
Target
Uninstall.exe
-
Size
88KB
-
MD5
2d06f4000af9632594d69f771b24cc99
-
SHA1
dceaddf53206b8168386971ea0c0e2d3dfa1a4a7
-
SHA256
b89c51188eaabe830f78c8ae021f50b4a2962360d7bdd260e9b967ad91945dd0
-
SHA512
3c451cc8f72303920097235c5fb42229194450b95fbf57d8d391ee3412a77374c5d3cd53138335b50250e33a1c7c4fd200378dade7954b2500445e4b7631a95e
-
SSDEEP
1536:8pgpHzb9dZVX9fHMvG0D3XJZ5abZyNTXpUnax++HE63ttNESPA6C/0qC:KgXdZt9P6D3XJ3aELpIcE6rF60qC
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2320 Au_.exe -
Loads dropped DLL 5 IoCs
pid Process 1488 Uninstall.exe 2320 Au_.exe 2320 Au_.exe 2320 Au_.exe 2320 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral23/files/0x0005000000019258-2.dat nsis_installer_1 behavioral23/files/0x0005000000019258-2.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2320 Au_.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30 PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30 PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30 PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30 PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30 PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30 PID 1488 wrote to memory of 2320 1488 Uninstall.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
568B
MD563b6303269be2584b5d1572d8e270538
SHA102c3f5dc91df27abdc99d4c405cdfde6740dfea3
SHA25684a5d6d9ed4269597c96de5817f06fcaea923200e46fcf34a66e307b58dadc8e
SHA51253b685d9ca7fb8568b8f98944f90bd8c1560f7bd2f4ae4c9b7b777f243209e7c2fb4358be2608ac68900e6449b98923edd349a8f352c5ef6e36b28c946ba6ac0
-
Filesize
581B
MD5b2cd0f194de2e0892b9535ff8b41340e
SHA1889e61a18acef323e3e799c7d9f839809c3f6465
SHA2567bd73f2a4adb49c836878add9cae0002ec4bd8f95db9e8db019e0b2ac47622ba
SHA512751e2de68cb9971b6f1211d15a98576ce5f17a0c3a78d26f860825d530dafc28c8738b84c3fa79666be358dde8217b12a2b1e9e25da0c92be53510d21d449fbb
-
Filesize
14KB
MD5eef9e469e8a30717974499f277d97e2a
SHA12d33c25984ebd9116beeb55cdde4c5c86c023e5d
SHA2561f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
SHA512d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48
-
Filesize
88KB
MD52d06f4000af9632594d69f771b24cc99
SHA1dceaddf53206b8168386971ea0c0e2d3dfa1a4a7
SHA256b89c51188eaabe830f78c8ae021f50b4a2962360d7bdd260e9b967ad91945dd0
SHA5123c451cc8f72303920097235c5fb42229194450b95fbf57d8d391ee3412a77374c5d3cd53138335b50250e33a1c7c4fd200378dade7954b2500445e4b7631a95e