Overview
overview
7Static
static
30837f77cd9...18.exe
windows7-x64
70837f77cd9...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$S...4_.exe
windows7-x64
7$SYSDIR/$S...4_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/$_8_.dll
windows7-x64
6$TEMP/$_8_.dll
windows10-2004-x64
6Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
0837f77cd9394e93a2ffe82ac227f1d2_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0837f77cd9394e93a2ffe82ac227f1d2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$SYSDIR/$SYSDIR/$_14_.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$SYSDIR/$SYSDIR/$_14_.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$TEMP/$_8_.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$TEMP/$_8_.dll
Resource
win10v2004-20240802-en
General
-
Target
$SYSDIR/$SYSDIR/$_14_.exe
-
Size
47KB
-
MD5
31351d9a63bd5bf7a486aaac8fde38d4
-
SHA1
3cb292702c0f2454eadb97dfa440a30d7e10e236
-
SHA256
8d39dbde3f97733cfd3a37201aef59264b9c8cf6520b13442a7ebb490ad2d726
-
SHA512
63b88e44bcfc4e004430829222314e221d2dd7074ef82d23cf1a5703e1b1dca88e61021229b714dd11dde83246b52847178dca6318bbe1065cbb598b2a07ed3f
-
SSDEEP
768:CCloVlpQE2MQGc6rDh84nSwN15G4DRF/O71mJ3JRnAB/qspezGXDcWu83l/:TYpQtMDc6fnpumJAB/qsjD+8p
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2476 Au_.exe -
Loads dropped DLL 3 IoCs
pid Process 2472 $_14_.exe 2476 Au_.exe 2476 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $_14_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral5/files/0x0005000000019506-2.dat nsis_installer_1 behavioral5/files/0x0005000000019506-2.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2476 2472 $_14_.exe 30 PID 2472 wrote to memory of 2476 2472 $_14_.exe 30 PID 2472 wrote to memory of 2476 2472 $_14_.exe 30 PID 2472 wrote to memory of 2476 2472 $_14_.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\$_14_.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\$SYSDIR\$SYSDIR\2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530B
MD51401d373cf497be2a795b81d1d2d1ebf
SHA1f2ea33e8f873ad8bec4b5733a25940ed8e17b213
SHA2566754368cea67ba90e3e0224f5cdaad4f4e93aa6a14390785f9b7bd264410313e
SHA5124891dfe2a9ab4dbbf37ccb92683e5969d6fc3991ffff7b89b7f82b20f4cc4fd16cef0f95c741c032150012a3582fd7c54a1a8ad064acb78d705e3b00267cf583
-
Filesize
457B
MD53dd555b3a8e68c3d96799200e70bfa06
SHA1acbc9af8b616ffb6af53024a56155453f422651a
SHA25665e4903c62e127083a55ab76914b2cc1b54953d2a94b061b855d78757c3f4e17
SHA512992cc9b18d754b44ffd14313338def5d1a002054761f9e1c25d06f918279330b9332a2071b3dff8734fdf8d490c967334f58f1aade641ef637cd46c4c5358155
-
Filesize
509B
MD56f19d0a4569a1370118dae6a4074cce7
SHA132f342bfbe08829479c11e892f21382e1bc9de37
SHA256b6c34fcd3c1e74398fb419df430fac1b70599ea84079deb192618aee0f7049a0
SHA5123793ddaa1d7fbee5508959f053091a3c66bf005391963644043d2161941434e638c935f4f6a1e9fa36a19aea7252206da7dd44464ee3b12d9ada151d7e293ad1
-
Filesize
14KB
MD5eef9e469e8a30717974499f277d97e2a
SHA12d33c25984ebd9116beeb55cdde4c5c86c023e5d
SHA2561f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
SHA512d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48
-
Filesize
11KB
MD5c6f5b9596db45ce43f14b64e0fbcf552
SHA1665a2207a643726602dc3e845e39435868dddabc
SHA2564b6da3f2bdb6c452fb493b98f6b7aa1171787dbd3fa2df2b3b22ccaeac88ffa0
SHA5128faa0204f9ed2721acede285be843b5a2d7f9986841bcf3816ebc8900910afb590816c64aebd2dd845686daf825bbf9970cb4a08b20a785c7e54542eddc5b09a
-
Filesize
47KB
MD531351d9a63bd5bf7a486aaac8fde38d4
SHA13cb292702c0f2454eadb97dfa440a30d7e10e236
SHA2568d39dbde3f97733cfd3a37201aef59264b9c8cf6520b13442a7ebb490ad2d726
SHA51263b88e44bcfc4e004430829222314e221d2dd7074ef82d23cf1a5703e1b1dca88e61021229b714dd11dde83246b52847178dca6318bbe1065cbb598b2a07ed3f