bb266b9b427984f57392b6c531c800888e3c4a3c703a407b5e31d2db9a8623d5

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
Size

1.1MB
MD5

f5c0180c8ebf2d236bd39d142b592c48
SHA1

d41fba8c0cd414e1104bceb4556287eff9c5104e
SHA256

bb266b9b427984f57392b6c531c800888e3c4a3c703a407b5e31d2db9a8623d5
SHA512

7a2295059270969a15e8e78c0de43852b7e71da9de0c4b5e9283abbfc3d8636b2ce1001f4e24baf7393502b3dd039133433012d541eda333e814acef11dff593
SSDEEP

24576:PsYgCqdtqjeiqkMb/jUMQh+yFmgkS52RWALmce/TkfMaswtkNMB6dw:PNYdtORMbQMS3ogkS52RWAqcy4fMaswd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4336	nbinderpro_setup.exe

Loads dropped DLL 2 IoCs

pid	Process
4336	nbinderpro_setup.exe
4336	nbinderpro_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbinderpro_setup.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00090000000234b6-5.dat	nsis_installer_1
behavioral2/files/0x00090000000234b6-5.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4336	3116	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	82
PID 3116 wrote to memory of 4336	3116	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	82
PID 3116 wrote to memory of 4336	3116	f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5c0180c8ebf2d236bd39d142b592c48_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nbinderpro_setup.exe

Filesize
600KB

MD5
b97bf60a6d0cd066253d7fb12f43a09b

SHA1
529d4d3432d361db36b743952ace87f00db445f1

SHA256
c0e585128931bfd43d52c718fe7886c066c8bb992453e3919c348b36ccbe43fc

SHA512
75933cc38b7e23a8d2556363be1e1a96edb093f4ccbde235856f1602d3eb576cc74d1ea8d9c73a095fb1d6fa711d610230c4f87a8fe3170fa960adaf84fb468b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6D33.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6D33.tmp\LangDLL.dll

Filesize
5KB

MD5
8c909780802ac2097ea4132e6375acd2

SHA1
b35fbda0725d7c66281d5c340b53eb5d54922583

SHA256
c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f

SHA512
e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6D33.tmp\ioSpecial.ini

Filesize
698B

MD5
ec4ec7258ddace9997278698f97e29ad

SHA1
24177f6efef932268a24ec3b442a3d296a9b6906

SHA256
9db3380aeb3ce2f53184f71a8d53a2ac38fc15575b593a070b23dde555771a69

SHA512
ee3e04a7bc111dfbd3d247598288e679e9fe9446540b9bf2ec4051a0c1a2bcab95e2e1fbdcab56afdfdf7b38223ba33810220a94907591543221fb732f38dc70

Download Submit