bb266b9b427984f57392b6c531c800888e3c4a3c703a407b5e31d2db9a8623d5

Analysis

max time kernel
100s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
Size

1.1MB
MD5

f5c0180c8ebf2d236bd39d142b592c48
SHA1

d41fba8c0cd414e1104bceb4556287eff9c5104e
SHA256

bb266b9b427984f57392b6c531c800888e3c4a3c703a407b5e31d2db9a8623d5
SHA512

7a2295059270969a15e8e78c0de43852b7e71da9de0c4b5e9283abbfc3d8636b2ce1001f4e24baf7393502b3dd039133433012d541eda333e814acef11dff593
SSDEEP

24576:PsYgCqdtqjeiqkMb/jUMQh+yFmgkS52RWALmce/TkfMaswtkNMB6dw:PNYdtORMbQMS3ogkS52RWAqcy4fMaswd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	nbinderpro_setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
2108	nbinderpro_setup.exe
2108	nbinderpro_setup.exe
2108	nbinderpro_setup.exe
2108	nbinderpro_setup.exe
2108	nbinderpro_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbinderpro_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016ae9-4.dat	nsis_installer_1
behavioral1/files/0x0008000000016ae9-4.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	nbinderpro_setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29
PID 2604 wrote to memory of 2108	2604	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszFE7D.tmp\ioSpecial.ini

Filesize
737B

MD5
fca0661568e5cfcfde275e0f843ac618

SHA1
15c71f285d5798001cfe6d686bb4b2303aba8d5f

SHA256
114bf4647ebd77c923ffedf3d3646e94befa5e31f29d0a3518cc2f5b3ea726f3

SHA512
0b744873ea59bb3b76311bbc80f8c2eeb69e31b9ddfeb7f1632c25c8035776c478f2866636efbae3857ad8ffc4453692ca60bd917c6148bd1ca2121d55e5bdd7

Download Submit
\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe

Filesize
600KB

MD5
b97bf60a6d0cd066253d7fb12f43a09b

SHA1
529d4d3432d361db36b743952ace87f00db445f1

SHA256
c0e585128931bfd43d52c718fe7886c066c8bb992453e3919c348b36ccbe43fc

SHA512
75933cc38b7e23a8d2556363be1e1a96edb093f4ccbde235856f1602d3eb576cc74d1ea8d9c73a095fb1d6fa711d610230c4f87a8fe3170fa960adaf84fb468b

Download Submit
\Users\Admin\AppData\Local\Temp\nszFE7D.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\nszFE7D.tmp\LangDLL.dll

Filesize
5KB

MD5
8c909780802ac2097ea4132e6375acd2

SHA1
b35fbda0725d7c66281d5c340b53eb5d54922583

SHA256
c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f

SHA512
e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08

Download Submit