Overview
overview
7Static
static
3fddb8b56a0...18.exe
windows7-x64
7fddb8b56a0...18.exe
windows10-2004-x64
7$0/resultbar.dll
windows7-x64
1$0/resultbar.dll
windows10-2004-x64
1$0/resultbar.exe
windows7-x64
1$0/resultbar.exe
windows10-2004-x64
3$0/uninstall.exe
windows7-x64
7$0/uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$0/resultbar.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$0/resultbar.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$0/resultbar.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$0/resultbar.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$0/uninstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$0/uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe
-
Size
654KB
-
MD5
fddb8b56a01dfc7b2f20db5ae8c6afa7
-
SHA1
53a3b37818847340a7c1c4111dcb4510f5bc9060
-
SHA256
b5457332bb2f8d2d2658b2db158f0ed12af8e4502c76e0ac717f7313d13fd8ba
-
SHA512
c85f534908af034cfac24bd102479d473ef49ab454c6d04cb82c3c22278f75f9224a29e889e2335d3ae98b915563e30bc91d489dd85fa2d850606b722a4ab7f0
-
SSDEEP
12288:QOazeZYFBIuY8ldJ2su4+wVeWuXJ0kkw+dqDRhXzN/I3aSu7+RiF2obD1Y:D2FhY+d/on5/F+dqR/I3aSu7B+
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2164 resultbar.exe 2720 resultbar.exe 2820 resultbar123.exe 3048 resultbar.exe -
Loads dropped DLL 9 IoCs
pid Process 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 2720 resultbar.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 3048 resultbar.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat resultbar123.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO1EOEUJ.htm resultbar123.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\ResultBar\resultbar.dll resultbar.exe File opened for modification C:\Program Files (x86)\ResultBar\resultbar.dll resultbar.exe File created C:\Program Files (x86)\ResultBar\resultbar.exe resultbar.exe File created C:\Program Files (x86)\ResultBar\uninstall.exe fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resultbar.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x00070000000174b4-44.dat nsis_installer_1 -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D6E87EF6-8D7C-414D-BAC8-3D710D7E5106}\WpadNetworkName = "Network 3" resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" resultbar123.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-72-81-6f-d7-bf resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-72-81-6f-d7-bf\WpadDecision = "0" resultbar123.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D6E87EF6-8D7C-414D-BAC8-3D710D7E5106} resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D6E87EF6-8D7C-414D-BAC8-3D710D7E5106}\WpadDecisionReason = "1" resultbar123.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D6E87EF6-8D7C-414D-BAC8-3D710D7E5106}\WpadDecisionTime = d0478d292e12db01 resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D6E87EF6-8D7C-414D-BAC8-3D710D7E5106}\WpadDecision = "0" resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D6E87EF6-8D7C-414D-BAC8-3D710D7E5106}\46-72-81-6f-d7-bf resultbar123.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-72-81-6f-d7-bf\WpadDecisionReason = "1" resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix resultbar123.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ resultbar123.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-72-81-6f-d7-bf\WpadDecisionTime = d0478d292e12db01 resultbar123.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" resultbar123.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 resultbar123.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe 2820 resultbar123.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3048 resultbar.exe 3048 resultbar.exe 3048 resultbar.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2164 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 31 PID 2436 wrote to memory of 2164 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 31 PID 2436 wrote to memory of 2164 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 31 PID 2436 wrote to memory of 2164 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 31 PID 2436 wrote to memory of 2720 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 32 PID 2436 wrote to memory of 2720 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 32 PID 2436 wrote to memory of 2720 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 32 PID 2436 wrote to memory of 2720 2436 fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe 32 PID 2820 wrote to memory of 3048 2820 resultbar123.exe 34 PID 2820 wrote to memory of 3048 2820 resultbar123.exe 34 PID 2820 wrote to memory of 3048 2820 resultbar123.exe 34 PID 2820 wrote to memory of 3048 2820 resultbar123.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fddb8b56a01dfc7b2f20db5ae8c6afa7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\nstE1C9.tmp\resultbar.exe"C:\Users\Admin\AppData\Local\Temp\nstE1C9.tmp\resultbar.exe" "C:\Users\Admin\AppData\Local\Temp\nstE1C9.tmp\resultbar.dll" 13424952222⤵
- Executes dropped EXE
PID:2164
-
-
C:\Users\Admin\AppData\Local\Temp\nstE1C9.tmp\resultbar.exe"C:\Users\Admin\AppData\Local\Temp\nstE1C9.tmp\resultbar.exe" "C:\Users\Admin\AppData\Local\Temp\nstE1C9.tmp\resultbar.dll" sayeyagez "" dafucoti2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\ProgramData\ResultBar\resultbar123.exe"C:\ProgramData\ResultBar\resultbar123.exe" "C:\Program Files (x86)\ResultBar\resultbar.dll" emidafuco kevivaceq1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files (x86)\ResultBar\resultbar.exe"C:\Program Files (x86)\ResultBar\resultbar.exe" "C:\Program Files (x86)\ResultBar\resultbar.dll" cajozura wufeyakilo2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD578a214f021ec9350231d6e6897626a43
SHA1a193bfa081bae83b9de7bf8587015e56d7dd21ec
SHA256ad3b50427a57326cfb9cbd3f9e2f998dbe6592b37139f32081845b2665495666
SHA5122c2b97fc70b077b5d81fa37c8cd40935c858e053226abc6e1e76387889af171fd5cf03c18a2348766d67c90035922b338ae3c56349de39822b6c008abe51b4b1
-
Filesize
82KB
MD5c78dc19bab9bcb490d031ccca4bdf853
SHA1f40960a41ff93fdcad2793f36fb5437db93b120c
SHA256a743fab26fad94ba571933471af4685660a80c73ef4a86ea276aebcc197b2600
SHA512da9f21b7eb01b3350614ee912f98389e209e0ce0afed08fdd13bea153f28510a2aeb468c10bf3317e0fe2716af9d67702996a8cbf18eb3ce1435be68c722abca
-
Filesize
48KB
MD5dd4be76eb8e2dbb337058604ea25c57d
SHA16f0d8746eaf2d2258b86b7301c9a9928e807a541
SHA256915228f7184e3180ba59a9d282e017c63fe3f7d0e34f7a9786ec0698a60a5019
SHA512188a318d0a28b6089388aa26e72e9432aed85d96e4a047ca78158db59c99c0a09c9966b5c5d29def0048ddeac8cb409f0db08a2b8148634c14a950c68efddf5f