05f1a5cfaada94fb45ea0d10aadcf028ce2103efb956e0b0aba129b6204bb234

Analysis

max time kernel
141s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe
Size

64KB
MD5

e0d19a065df7ac0ec82266242445c371
SHA1

3a6096d3114432d83e1bf7084e8734f044d78773
SHA256

05f1a5cfaada94fb45ea0d10aadcf028ce2103efb956e0b0aba129b6204bb234
SHA512

62ee48890951b11fae72de5f531017384fb05101ad4034aae2125806d07302f73c916fb07564dec3b29a5409aa5b20bb6070dd40d33118f3c4181f1170bf0132
SSDEEP

1536:Le49WbAw77+ekp5jr+/CjXmS8qcy4rLnVO:ifbX7SXHiCTmjy4fng

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4436	iWinGamesSetup.exe
4904	InstGameInfoHelper.exe

Loads dropped DLL 8 IoCs

pid	Process
1740	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe
1740	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe
1740	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe
4436	iWinGamesSetup.exe
4436	iWinGamesSetup.exe
4436	iWinGamesSetup.exe
4436	iWinGamesSetup.exe
4436	iWinGamesSetup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1740-0-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/1740-47-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iWinGamesSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstGameInfoHelper.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234af-16.dat	nsis_installer_1
behavioral2/files/0x00070000000234af-16.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4436	1740	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe	86
PID 1740 wrote to memory of 4436	1740	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe	86
PID 1740 wrote to memory of 4436	1740	e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe	86
PID 4436 wrote to memory of 4904	4436	iWinGamesSetup.exe	87
PID 4436 wrote to memory of 4904	4436	iWinGamesSetup.exe	87
PID 4436 wrote to memory of 4904	4436	iWinGamesSetup.exe	87

C:\Users\Admin\AppData\Local\Temp\e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0d19a065df7ac0ec82266242445c371_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\nsu921F.tmp\iWinGamesSetup.exe
  C:\Users\Admin\AppData\Local\Temp\nsu921F.tmp\iWinGamesSetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\BgImage.dll

Filesize
7KB

MD5
0e6d71e08eb5f3fe111c2fc10cf3f669

SHA1
e50d07fa89a8a36e39196ef91ee10e6ce7e96289

SHA256
df4ae53731440c2a7fbabac6ded7684fadc03c050c3190a6ec38b1eaf88b76b9

SHA512
20325b41ea54f8aeae09a127e15400d462e99a86365d8b82d4b2d2cc13db6d7ecbb9e5db23091d8b68a92b3bb8cf87fabf9decd3f77089e32af2cdbfd705b77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\InstGameInfoHelper.exe

Filesize
99KB

MD5
3d3d2bf9c42dbdf97247775c00f22190

SHA1
7a046170aaeb5e1a29d8c8cd7c32225f49237aa1

SHA256
59f09ba2c79a209008e76d0478bb691a9fdb2180d84318d9fc73b10401aa853a

SHA512
6e66c4ff467e286cd5dc1d4ccd412fec32cfd01514db6c339fd275eaab5f3b549e223e9330bc61ff19048df70b81b66dfcc78ac351aa2c5ff45cf8d197140466

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\gametitle.txt

Filesize
16B

MD5
dca5223e098ad10dd7dd81dc5ffa2d11

SHA1
3df81c3f2ee60bd5260b019f6ab95299c1e01d71

SHA256
8e607f94a723de44f5a0d9ea3501b9c07ce8e979c12c0e76b18deff5dfe2e3aa

SHA512
2343b66a9ac892e610283fd8b28554bef79e907f99a1ca8c1d46d83824a6b107afc620292f337ce8de17c6a45bb7bcff27ccaf76c187c71b8219543299e85026

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\tn_feat.bmp

Filesize
4KB

MD5
3df1659257c15fef71f5a51c21123f24

SHA1
e71dd78cd4e776dc35c3c38f0ea1c9bb3454cc5f

SHA256
05d1d54b0f0001fe58e381d1937f85f9dae2238bd1ded161ed00e16e25e60565

SHA512
aba97cced61f9ceb6cde2b78e59673d3ab45420fc1c0b4b22924f4a781717405bdc4f29279127435e6556224af7280e31e33583b3bfda046d9c5216d98c0014c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu921F.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu921F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu921F.tmp\ftdownload.dat

Filesize
512B

MD5
b56223bc7b75518cbe1f80c84cfea665

SHA1
5f450387fe3e9441648c4e8ce34fc66da19e682f

SHA256
a2f723428137708e5fda88e5d971c1e3ee86708770024810e1cb30dbb1c26b0b

SHA512
23a0df16586f8b71cab49328d49080f6b814f0dd8102289a71c0581ca7ad612222f078e6c4e23ccad8275772d520654db2c19b13bd18c27d2f816e0f87b5fc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu921F.tmp\iWinGamesSetup.exe

Filesize
46.7MB

MD5
0fa4e9e8c42539588ac8957812411ac6

SHA1
951bd2e7a886f16f37a0ffcb45e07b716f3d17dc

SHA256
28589df479939cd317be5e9462bcc071c8b83973e4ca51724a34943393731d6a

SHA512
7e704a760e5cae71aae9116702a35b54c1287222e3dd64f65195cec52186e747e458a6dc1263e27c54438d1aeb46c653ba30826ab234389bb398f71628253649

Download Submit
memory/1740-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1740-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download