Overview

overview

7

Static

static

3

178a17af64...18.exe

windows7-x64

7

178a17af64...18.exe

windows10-2004-x64

7

$0/uninstall.exe

windows7-x64

7

$0/uninstall.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$0/zwankysearch.dll

windows7-x64

1

$0/zwankysearch.dll

windows10-2004-x64

1

$0/zwankysearch.exe

windows7-x64

1

$0/zwankysearch.exe

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    178a17af6483d14979dddbb5624099c8_JaffaCakes118.exe

  • Size

    704KB

  • MD5

    178a17af6483d14979dddbb5624099c8

  • SHA1

    a71d026c859e25ea92abed51d979ac6a0aad0331

  • SHA256

    9f256187849ed48633bad4cf3167a792ef03ad3cea253810d0be5899b54e0589

  • SHA512

    728da8135a6a033ca12ffadd9ed5d5cec55c9a69e6cc37b8385f545265a0bc5aa16aac2fa8066d6f809e4127c8fc8f0fdb7f0f8b3be1b33950d5ac28fcad5190

  • SSDEEP

    12288:yKfdCCokKLfCyLNe4Xaf+sH2wzyECclHC6dHC9lZ4635:yKlhtWPRe4Kmk2+ccxC+H0aM

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 1 IoCs
    installer
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\178a17af6483d14979dddbb5624099c8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\178a17af6483d14979dddbb5624099c8_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.exe
      "C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.exe" "C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.dll" lybu42758849470
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3912
    • C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.exe
      "C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.exe" "C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.dll" ekuyexavux " " gewuqimuhu
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4156
  • C:\ProgramData\ZwankySearch\zwankysearch152.exe
    "C:\ProgramData\ZwankySearch\zwankysearch152.exe" "C:\Program Files (x86)\ZwankySearch\zwankysearch.dll" pisowovidu faduwupis
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Program Files (x86)\ZwankySearch\zwankysearch.exe
      "C:\Program Files (x86)\ZwankySearch\zwankysearch.exe" "C:\Program Files (x86)\ZwankySearch\zwankysearch.dll" neledenab exavanaf
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsg9608.tmp\InstallOptions.dll
    Filesize

    13KB

    MD5

    d765c492c21689e3d9d61634371fd861

    SHA1

    ac200933671ae52c9d5544d0e2e8e9144d286c83

    SHA256

    551e6042dd494ea01549555ffc194ab9729da09058ec714eb368dd06642c9bbc

    SHA512

    9919a9e848c8f1e26c75d0d29207571e4b86a4140bd554743d2c1f8bd7f386fe4919345b163d89a5d907fb165e435ba0ac5f6b1101713636141f156a420e2e0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg9608.tmp\System.dll
    Filesize

    10KB

    MD5

    fe24766ba314f620d57d0cf7339103c0

    SHA1

    8641545f03f03ff07485d6ec4d7b41cbb898c269

    SHA256

    802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

    SHA512

    60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg9608.tmp\ioSpecial.ini
    Filesize

    564B

    MD5

    919095b5830b8d8407a20274236f4f24

    SHA1

    44ae7f5f7a6f05ed522bec51321ea04d895aaee9

    SHA256

    aac3e4bc24bc193dfd6ba735ef5faa7a5f08ec7df4e27df901492d73f074a159

    SHA512

    11cfc6a1d3a527cd38de6768be86a9ac74cc160b4c1a5a37d5d7adcd13a56461b360a02d2d8ec12661a77840b141d69dee642222e13c481446f2f6db7b0e09c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsg9608.tmp\ioSpecial.ini
    Filesize

    702B

    MD5

    98fde3f3931f54ff50d2e2bdd6a57ce4

    SHA1

    f445ae0adae7692ba8b1f2026c3a09d4d09253b0

    SHA256

    692596ce63d963b81259a9310dcc77a82f5998890d50c35969bcb1c4c6394184

    SHA512

    a134d37035acb7aaef71cb1e975af6c979693e3034ab4f7a695d6ecb8d59f148e675daa49b6efb07ffceddfd15f7e9b8bf81f9c4d5d21c29d9ea859603d6ae3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\uninstall.exe
    Filesize

    83KB

    MD5

    9ad10639431cdf03fad57eaa6fa3d63a

    SHA1

    0b079e322ad7ef5eb440100c359c1053de4f3ca6

    SHA256

    a03ddf5f1b2f8b2160f6923d5f583aec30b0cc5c6ead3a77f833294f12474768

    SHA512

    a1c15dc9863830c649fc0071fd3a62d332986bcfff2397235bf97e2b478f4e0f057c318664828ba1e98ed3b0b004bbd9454815f41cbc0ba4fc8d09efd4634512

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.dll
    Filesize

    564KB

    MD5

    70b70e0a8052772b888801c06d533d30

    SHA1

    d3ccea04f30e777e44576dcf329dd9bb479435c6

    SHA256

    423b0deae79b856d1a7bab607d5eeef3b72d8441517226e5d498c00a96eeeda8

    SHA512

    bf11fdb5ae847f1e4dbce38a9754dd00022e6768ad68430cb96fe5c95b4a7e2b81dbb5ba1be12e7ea7132bd378698e8da134e608fef47347ed0da44795736383

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsqE13B.tmp\zwankysearch.exe
    Filesize

    48KB

    MD5

    73c64dccbe08bcb82db346f010ed6574

    SHA1

    5c8a6af77aaeae18dced3d27a31ad8304e1cf43e

    SHA256

    9ffa03a7ca819f72ce1048dbc3d32c99fef210c6e0c2f99ef1897eb18dcc81df

    SHA512

    2994bbb60ef6e56b51a67dbffd3d6d833e4f0a495787aa71c8fbaa42fda0c45b73781f015544f98556c08a51310ab8af1e0975891eda7436fe2f815ae0cc2b09

    Download Submit

  • memory/1228-132-0x0000000005940000-0x00000000059C2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2016-124-0x00000000004E0000-0x0000000000562000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2216-105-0x0000000000540000-0x00000000005C2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4156-95-0x0000000000410000-0x0000000000492000-memory.dmp

    Filesize

    520KB

    Download