Overview
overview
7Static
static
70b41ae79d6...18.exe
windows7-x64
70b41ae79d6...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDIR/hnml.dll
windows7-x64
5$PLUGINSDIR/hnml.dll
windows10-2004-x64
5uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2024, 15:00
Behavioral task
behavioral1
Sample
0b41ae79d6f39c034068d5b2dc2ec7a7_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0b41ae79d6f39c034068d5b2dc2ec7a7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/hnml.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/hnml.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
uninst.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
uninst.exe
Resource
win10v2004-20240802-en
General
-
Target
uninst.exe
-
Size
36KB
-
MD5
8420438e419d653f911f16abfd26c9ed
-
SHA1
d39750d6ceb780df4ea984d9645b2f9e94b80329
-
SHA256
77a417460ee0c8c5bc65188ea2b0fa4ca9b2d2d6c94daa0ea206ea909e7d929a
-
SHA512
c1ef2f814e7095d6c36986239441b4f0e91922ca70ddb64e857f267b84359117d6cbb426a30582e5ef0bc8e6bcd5a7787cee6200d9cfa10111b7000cd7e15a68
-
SSDEEP
768:51DVgVapclBrPlbLQPCGB4/deAC6Jn7z8Ld8tx8wxp4wFBOV1mJHbaQ8b:fDV6awBrdbLkrude7mnflp4tmJHmT
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3380 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 3380 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uninst.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral8/files/0x000800000002343c-3.dat nsis_installer_1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3956 wrote to memory of 3380 3956 uninst.exe 82 PID 3956 wrote to memory of 3380 3956 uninst.exe 82 PID 3956 wrote to memory of 3380 3956 uninst.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD58420438e419d653f911f16abfd26c9ed
SHA1d39750d6ceb780df4ea984d9645b2f9e94b80329
SHA25677a417460ee0c8c5bc65188ea2b0fa4ca9b2d2d6c94daa0ea206ea909e7d929a
SHA512c1ef2f814e7095d6c36986239441b4f0e91922ca70ddb64e857f267b84359117d6cbb426a30582e5ef0bc8e6bcd5a7787cee6200d9cfa10111b7000cd7e15a68