Overview
overview
7Static
static
3de3e738423...18.exe
windows7-x64
7de3e738423...18.exe
windows10-2004-x64
7$PLUGINSDI...rl.dll
windows7-x64
3$PLUGINSDI...rl.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...b2.dll
windows7-x64
3$PLUGINSDI...b2.dll
windows10-2004-x64
3$PLUGINSDI...on.dll
windows7-x64
3$PLUGINSDI...on.dll
windows10-2004-x64
3$PLUGINSDI...ib.dll
windows7-x64
3$PLUGINSDI...ib.dll
windows10-2004-x64
3$PROGRAMFI...R6.exe
windows7-x64
3$PROGRAMFI...R6.exe
windows10-2004-x64
3$PROGRAMFI...zt.exe
windows7-x64
3$PROGRAMFI...zt.exe
windows10-2004-x64
3$R6.exe
windows7-x64
1$R6.exe
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 11:19
Static task
static1
Behavioral task
behavioral1
Sample
de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/EstUrl.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/EstUrl.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsWeb2.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsWeb2.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/workerExtension.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/workerExtension.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/zumlib.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/zumlib.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$PROGRAMFILES/ESTsoft/ALUpdate/$R6.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PROGRAMFILES/ESTsoft/ALUpdate/$R6.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$PROGRAMFILES/ESTsoft/Common/ezt.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PROGRAMFILES/ESTsoft/Common/ezt.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$R6.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$R6.exe
Resource
win10v2004-20240802-en
General
-
Target
de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe
-
Size
16.7MB
-
MD5
de3e7384233944a5675df02e0ccb7525
-
SHA1
47f65c3214e49b45e3942565e985bd72e7bab2f7
-
SHA256
2bd0e04437a3ec21f596e4f21f579e6a6f93d033cb7438381f7ea0a2d0495735
-
SHA512
f2514f73203ab32d5298d6be1be24dcf9bfb0e99d9b3c1d55db0b04658fd02790fa62badfba5e9b0c6d4e15387bcfe2a977f7b32eb63ba6ecb0008a0e110fb47
-
SSDEEP
393216:bbmWlose4y0eHyaqlHc8QUhK24yosun9JLmaoZybz2tOVoarV3:uWlsZVyaY8w14L9JLmS2tOVo4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2036 stext.exe -
Loads dropped DLL 6 IoCs
pid Process 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe -
Checks for any installed AV software in registry 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2036 stext.exe 2036 stext.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31 PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31 PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31 PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31 PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31 PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31 PID 2936 wrote to memory of 2036 2936 de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de3e7384233944a5675df02e0ccb7525_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\nsdC7D3.tmD\stext\stext.exe"C:\Users\Admin\AppData\Local\Temp\nsdC7D3.tmD\stext\stext.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD52c5e13287d27b526c01aace7ea92be9e
SHA13b7895f3e3f9dfa9797d2cf04ad7d3d5548210e6
SHA256986ea6d67ded7e67cefe739902194751643982293154ba496d4b5076e0df38e4
SHA51251702649d7ccdfd90a1b7d06699d0791ed60fa2419013deda826cfbfac57231fb06000d1e8a3bf866459ad8597393cdf95e559f575dc51c236c3205c69bc36b6
-
Filesize
197KB
MD5d8113c015116547827b0cdc4869c244a
SHA182392f5483c6c175b3955cdf39aa87d550266ecc
SHA256b7baa631014fbda8fdce67c8b660de8507aaee9b8c572d21746b3078341d3885
SHA512907c61006a58dcafa812f03fa08b58814950f66e9019bfcc12eefc59b0f7ab2ddee040e2ab162b7e09c3f47cdc71c914307a6fe7b89e11033edea7131fc2f563
-
Filesize
174KB
MD594715ab02d666f0b19590030e1bd4f8a
SHA1887f618c0ac49ce0209a0e54f6ae97ac501764df
SHA256d1b6bbc5aafc9d3d578d7644d28223a64f6c74b31503e260a76037b7d4bf3ccf
SHA512d6155ea4b62299ed8dd941cd9454aa437a28a6e73e1b4846e18f80fa259ab2a9f819bcd0a8e1cc99ed0e2ae2d8ab921dd041018a08c70bf8a2be44ec0a9442ff
-
Filesize
3KB
MD57df755f1fd4936268507acba151bdbfb
SHA188244f9f5b1188ddb7cba16668904ea7c8c8c847
SHA256129e7c9241e303ee196cda84fb67ccbd58de350497af64140189189f0e46c598
SHA5122c64e8a7414582c36f3a793c82b64864e0f56c6a8bac5f7bd2ce16b0692c25751383d640749926d075608b8a8827d272a6e6a5d74cb4e89e341f24994d85bf6a
-
Filesize
3KB
MD59567ac70734060456a435da5dc86f4e8
SHA1f43afa5886f44d84abb4cceb9f6a904a2f056b27
SHA256185aee90294dd86c06430ab7cac4c02c5e1302886e05a782ccc141946834f4fd
SHA512807134880641f0cfdd205c426519d9791c94fee05b1c1443cbe38c47efd60c0d39d33ecd31b7b0294730259e2ac900c060d79ad318c6b56e484d19d1adc2a48c
-
Filesize
892B
MD53599f7e2dbaf0635e804bd16dae68509
SHA12bcb05cc2be9898aa55d85b32d48990115ca3106
SHA256eccf7b7d55f6c3dc7385da09054a95ac4892f460cd209a09b8802f93f1159ab4
SHA5121667ab44b9b831f3f7287e7f26d06cfd35492b646aa57882ac5573c51ec67633970e72029807ee2d3318316d7a02b08dfbf0483dfa62de207de398b791a07ef2
-
Filesize
1KB
MD5aefbfd69970361c62f7a32fcb6427792
SHA1709fe0c9bc09908c283317584e70a37eab593212
SHA256e9aa70d4614f7d22f70cbd7e3e63868033effd953fa38dda3ae1e213482e88c1
SHA512361ce2d004dbd0f87508cc8f4778b84dfc7cbb869218ea9020038c0ca01eef53b805463e62dce6c732bdbb82efa56d844fc3faf0c7107d64962837e9fdf1a4fa
-
Filesize
1KB
MD59831bd7d83c4b3cb63c8a6b596546dfd
SHA1d1a0801df078a55df3be4e7c7e0fe825eaa96536
SHA2563be815d3c98a412e2df5e2e5762599cbcfba3c9491c8f50f175a550296701b53
SHA512d84499eca42739252250918b00d8f95bdd0e58ddb10bf5c5fd5d4b7918d96bfbb582f27c1f3f15ab35fedecb3dd8ca9c6038e8ab9bdd18ab98ec9e80b04fef9c
-
Filesize
5KB
MD5e7ee760c7197832923d16e7066b47814
SHA148f9ca2f31ebcbd638c7fab602b2ac1094acdf0c
SHA25679ee8e2762f9edbc0eb76ed6f3fc0cd05ceb8a776d0684c71d44b8abb39d8e40
SHA5125f4b79eeaa755ecb184d7b6ea4a4e568435c8a95ea721673c553c59a5208aad7cf8eeadb0cb934f8308caba6e66090046bdbe83b90f67d3d2025445618ff8518
-
Filesize
25KB
MD5e7dbe79c26db8f4b4be7bcfc37c13298
SHA182150b4c51b51da27360de54e450aa58a4d6ee68
SHA25637752f12c27eff16f03226a4df11fafc50d94be94040e1317f81f3820b43c3ee
SHA5127c4a89fb4c4fcc0dcc83228eb6cb70e282b7c1baeef7f70f527fcebee49bcb8e6e741d8b3e057fbf604e014d1a79daeee587e6f0e12d403ab8af10b6ece761d0
-
Filesize
21KB
MD59ae1ca9a2435157188b781d30f88f8a0
SHA1dcb4dd1bd4508b2103d881a5acd90a5c46f10778
SHA256ab02e0612084e602c4c4a7149547031f2b5a527c745364db5dbbc4bc581c8179
SHA5123bf656ab5ce1a5e1fe5a2b9e185c60bff15c4a565b224640a6de3143c47cc8b8c0e3a292786d805d788cda36c5d4ed261585f4b9b23a1c2530df8ce0664cc988
-
Filesize
645KB
MD56284606ed3cde0677eed03e9a9e7f063
SHA1e59a99dd2d51fd491adab51a9f08b75bce82c3b2
SHA2563e4e33e0a0b65e5546604fbcd83014fc3d467eb16a3d9cab0e53284ceb9616a9
SHA512c535b8e690e47f11609f84ac494dbb301828f367e0a914263463d29d412c1cdba422767b9f3aacae272e63cebbd22b707577d0de9d566bd96163fac633371b7b
-
Filesize
549KB
MD5e22882c6a4f464b95f0137dafedf18be
SHA111e845fb4d6c56c63814346c854e89b9138b2fac
SHA25631c46010d24673fcbfcc0f17dceb5fd72520fc92b6a43ae987e35786a50961f6
SHA512d9bc60317c64679f7e95142b10e154be014912aed551abdb871f94b5d14ac3c918b54b281b5f4fb2f00c1761c089ac56e2df8f99ddfb096a9af4a28d1cfdbdb0
-
Filesize
10KB
MD5b666f31c4c24be1d4d47cfb55dd35f96
SHA1fee917ead511a6c14538c72539fa740edc7d82c5
SHA25607aefeeea75705edcc3a21ac7dc4b5b837c234c041b725c245b50a73ffabb78a
SHA5126dd69a085b6b2a2671ec6545bae27a72151457ccd76c3bc43a4544f4910fd8791251fb08c2f068d54dd91a6093bed50a80afb68875a9ddf29ae43c42a7337bc8
-
Filesize
3KB
MD56717338e4e0f6283ded89d771c849260
SHA1aa7dcc18d6bf3b2fb0e74466fb2a5d60cc8aa60c
SHA2562d0f153a0a09bb6217cccf3d015100f80216e717bbb9e00eb2482a0964a9c361
SHA5125e3e8c1ce87edf8bfb2556dd5672e1c1e9e37e629fc013167a93fded04e65b79c9b6b192b252daffe45c6d03480f825e1fbf998064edd2771cbce925d85d2280