89aa030be1bc8c352c1e639992143bf0f0b0471344dd24fa4a0c24d46971f996

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
Size

506KB
MD5

fe850b9cb64952e4ef425c2483f6e1e5
SHA1

859d625c454b1d706d45eff9b710032f4738b3cf
SHA256

89aa030be1bc8c352c1e639992143bf0f0b0471344dd24fa4a0c24d46971f996
SHA512

5d9e401b244ba9cc8bcdebe40595b5fbba7ea0cd57039209dae0c120b087d9abefb9ea82db06b278e817e845f8f29a8234c5bcd451f734fdffac5901481d5e7f
SSDEEP

6144:jaUhMk70XLC1t9N9/W76hVj+VD3hbcd5SVtY/nWMSqKMXGY/uqp:jqkeLCP9NyEma3l4fM

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	Nligua.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral1/memory/2764-12-0x0000000000400000-0x0000000000480000-memory.dmp	upx
behavioral1/files/0x0008000000016dcf-11.dat	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
File created	C:\Windows\Nligua.exe	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
File opened for modification	C:\Windows\Nligua.exe	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Nligua.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Nligua.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nligua.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	Nligua.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe
2764	Nligua.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2644	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
2764	Nligua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2764	2644	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2764	2644	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2764	2644	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2764	2644	fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe850b9cb64952e4ef425c2483f6e1e5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\Nligua.exe
  C:\Windows\Nligua.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Nligua.exe

Filesize
506KB

MD5
fe850b9cb64952e4ef425c2483f6e1e5

SHA1
859d625c454b1d706d45eff9b710032f4738b3cf

SHA256
89aa030be1bc8c352c1e639992143bf0f0b0471344dd24fa4a0c24d46971f996

SHA512
5d9e401b244ba9cc8bcdebe40595b5fbba7ea0cd57039209dae0c120b087d9abefb9ea82db06b278e817e845f8f29a8234c5bcd451f734fdffac5901481d5e7f

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
372B

MD5
ca94f15d712ac88065d14e8f3f4ea216

SHA1
3b557f100c3739eb4bb5cf9e142dff7379e9e1fa

SHA256
64a008a8c09ab335629eb390d485aed91b11403fe726b6c124b43b5db74f7d42

SHA512
43a00d79b5f1ca99dfc512ac039771c9f5eed8926272d9b7170dbc6445f2f32938249d0efed4df40e34ab917fd046ed39d27a4446f32de170a3d25586a0e00dc

Download Submit
memory/2644-3-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2644-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2644-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2644-18-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2644-20-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2644-16213-0x0000000001F30000-0x0000000001FB0000-memory.dmp

Filesize
512KB

Download
memory/2644-47761-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-12-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2764-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2764-47764-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download