15be226231ee990233f181c74ad81a71205dcad0d212f33acf6c997f2867462f

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
Size

3.2MB
MD5

fc238d56038e9e5094038122ab07f016
SHA1

a6eb33748cf13f597e58f6d54e07dde03f5d041f
SHA256

15be226231ee990233f181c74ad81a71205dcad0d212f33acf6c997f2867462f
SHA512

76cad4bae7cb4c54c3b6ccbba6fc0e2d6511c8dbca07ae15738f4216c0e37be15e3a73b0b9a2fa4fd4be38d088694f2528a3f7fc3a313b4eb2c87a462a6b49a1
SSDEEP

98304:zvtgs39n1t0udUbvSIzHqxrweXZFhmU5j3sY:zvSs39nT7ivPKVtmd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3052	nsA21B.tmp
2328	InstGameInfoHelper.exe

Loads dropped DLL 5 IoCs

pid	Process
1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
3052	nsA21B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsA21B.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstGameInfoHelper.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	InstGameInfoHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	InstGameInfoHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	InstGameInfoHelper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 3052	1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	30
PID 1724 wrote to memory of 3052	1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	30
PID 1724 wrote to memory of 3052	1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	30
PID 1724 wrote to memory of 3052	1724	fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32
PID 3052 wrote to memory of 2328	3052	nsA21B.tmp	32

C:\Users\Admin\AppData\Local\Temp\fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc238d56038e9e5094038122ab07f016_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\nsA21B.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\nsA21B.tmp" "C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\InstGameInfoHelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\InstGameInfoHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\InstGameInfoHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB06D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB08F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\InstGameInfoHelper.exe

Filesize
98KB

MD5
ec08c1c867ded8f5221aefb969b161c1

SHA1
839866cc28b401d1d3f0f07aa8f13803f56b496a

SHA256
f3bd166834e626631abe30c2353dd1c015d8b9cf6b63cf94164478e6cbf3c0be

SHA512
34c35aab50e9207bdb50cb619c0882b585577b46cdd23710663dcfeceaca8b7c4248e082ad28c2718201225c42d0ad559ebd0ebe904a588d324d50d44774a7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\ftdownload.dat

Filesize
512B

MD5
a7d80ce4c7651bdae8bbc2e149fe76b2

SHA1
46724d4b90d484f12e6d0531c25c5e7abfcedfd2

SHA256
b8b34eeae2da1840b5301665fd2e66def8c8a28836eb87752187f1510dc82eea

SHA512
4dff4dd2f1976c5bc829821def2ae9255348864280471a3141cdf368cfbcd5ed76264a361e67e7eaedf81895324d336978a3bdabc7abb5dda2cfc18cd0494f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\gametitle.txt

Filesize
7B

MD5
ef204df0430a7e6dc01fd819de9163cd

SHA1
0046d09b3d18e4bde7f8e917c5594790b27a708b

SHA256
5418d8082209dd2664d8d98045dc8f05d29f4057841f63250587c71e8dd8b001

SHA512
7b5cc5c1b86be312ea970ffc2b11297e7d56a152da5a3626b2c39e01b787d89e49dc93db43d1abe125ab1b706347b48a556892a84fde2736d845e27d47ffe96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\tn_feat.bmp

Filesize
243B

MD5
1d11ba4729a6d313267cbc240c9f6534

SHA1
c98f13700cc67da29321ea5d189d17eae7a63e8d

SHA256
d677a4238239e10beabe388a4aabcfe39ca150d6a51f404c8d8be27aff1de449

SHA512
4e8cfd51258882fba8f3cb5d5cbe42c6f70237d0b3d70d60105d104a53a324e22836b18d8dde8d7529241c581bcb093965d04800a30a679cf2229b241ec13dd8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\System.dll

Filesize
10KB

MD5
7d85b1f619a3023cc693a88f040826d2

SHA1
09f5d32f8143e7e0d9270430708db1b9fc8871a8

SHA256
dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

SHA512
5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\nsA21B.tmp

Filesize
6KB

MD5
8c05c6c4c781d8da520ab78f9a4a1c98

SHA1
3e883bc548fb51c8ed1880c8b91d9fd4ccfb2033

SHA256
2cf3490717e10af42d7995a95cbb17df4dc7adf7ff143e9c386651c42b7a3c60

SHA512
d8ba933c457a0a53434d9993995fb3e94d4297d04d1af9bffedf20485b67bba7e6ef7ea18b821ae5d85dcb09b2e71fdc015fcccc949904b80cb17d90d0e2278b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdA20A.tmp\nsExec.dll

Filesize
6KB

MD5
907db8118c510976d58a75dd9cf7d0e3

SHA1
90446f992946000038807d2966fd71e30e61b1c8

SHA256
d166786a2091215ab6360853bc591e7045dd9bc697f45f0b19332b8d629af32e

SHA512
f2afc42f03d95ef68c113cb13b47f3b027e5cf8ce7b492a4c15867d72bcd81122d2c70786c52146ac65d5b9e137ed15324b7515f089be3b3efc6711dc0c6e146

Download Submit