bc2977039aa36576286ad90e1361888b8bda9ed5f1e0a8bbf00e734712b796b4

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe
Size

254KB
MD5

07475c5ebed816875360d0d402af00d9
SHA1

b8d0aff4d314c3458c9eb42f33f5ca9bab8dbe96
SHA256

bc2977039aa36576286ad90e1361888b8bda9ed5f1e0a8bbf00e734712b796b4
SHA512

afc095438df55a55745e9bd43578c68722b925371c8b6e8bb98ce5ff280b623d5fe66d3f8148b336ae7c6751bc71e36d534b7617888a2b41beef47c0996d085e
SSDEEP

6144:09BrhnxHaMr/IOkE+QqFd5Mi00vJtObbfu:gPr/IOkEjibtqfu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4412	bibibei12.exe

Loads dropped DLL 5 IoCs

pid	Process
4412	bibibei12.exe
4412	bibibei12.exe
4412	bibibei12.exe
4412	bibibei12.exe
4412	bibibei12.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\±È±ÈßÂ\bibibei.dll	bibibei12.exe
File created	C:\Program Files (x86)\±È±ÈßÂ\±È±ÈßÂ¹Ù·½ÍøÕ¾.url	bibibei12.exe
File created	C:\Program Files (x86)\±È±ÈßÂ\bibibei.ico	bibibei12.exe
File created	C:\Program Files (x86)\±È±ÈßÂ\Ð¶ÔØ.exe	bibibei12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bibibei12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00090000000233db-2.dat	nsis_installer_1
behavioral2/files/0x00090000000233db-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4412	4724	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe	84
PID 4724 wrote to memory of 4412	4724	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe	84
PID 4724 wrote to memory of 4412	4724	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe	84
PID 4724 wrote to memory of 728	4724	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe	88
PID 4724 wrote to memory of 728	4724	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe	88
PID 4724 wrote to memory of 728	4724	07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07475c5ebed816875360d0d402af00d9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\bibibei12.exe
  C:\Users\Admin\AppData\Local\Temp\bibibei12.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\unins.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\±È±ÈßÂ\bibibei.dll

Filesize
85KB

MD5
44bef753e4a6be3c990070aeb7bc994e

SHA1
2a45791ebcb41e9c74423573e6c9207bddd8d8bf

SHA256
fcf4dc5492b6c99f7620d7b9692e3293d6cc7b95ad0f5dde5890ab7162955da4

SHA512
c0dfdd62f3ffda4c886f81051e87aa85096ee0be6452bf0a634b9096fdb6237d065d1a80b5c58b071b2cd4f95d0db3e0949f2808fa8b5a990137eb4d25aa7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\bibibei12.exe

Filesize
155KB

MD5
7c2c7156a8059e828ef25b770672779a

SHA1
abd7f60e36931cb5e2943bc4eb1624a979f6da84

SHA256
a75943c496ab9dabf46d238d86e49169c25b2a83630296a9a5064fa4efdfb3f8

SHA512
91fce6cf74ac0cd17c127ded96259dae17e6f3a56c0400e787419182c78c5cae83b0c4eec4012ac4292a4e4c2600dcd874855b468b98b663a90f197cb0e3efd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx8D5C.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\unins.bat

Filesize
212B

MD5
9d6b1ff83e23fd808836146e80a23172

SHA1
fa1bdd549daa7947a850f04516fea7588caed9ea

SHA256
58f88c51a8d0b4ed8a0f08a104cb479c51bdd97da4f222be4698c2dda758ddf2

SHA512
14ed2fcfb5938950c33759fbb0ab276ada9fd060e5bab861f205e01e4f11242f3679f4e38e82693ee1fa85ee6654d4884b645f1c0b2ec7c295d19e772b207cf1

Download Submit
memory/4412-23-0x0000000002190000-0x00000000021A4000-memory.dmp

Filesize
80KB

Download
memory/4724-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download