79e25e156a184c099194fd1f142a201e18859d1e6b1e9833c655ce03054e0a9a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 06:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe
Size

76KB
MD5

38bfc6e03c57124e73a542cc7fe283d3
SHA1

c9e1da1d148baa20bd560b18ae86a17188051ba9
SHA256

79e25e156a184c099194fd1f142a201e18859d1e6b1e9833c655ce03054e0a9a
SHA512

f0398a7406143ba7666c4006624bc6f3f2ed2257d2e41a724bb788e4027cb62e6b0e8c8004b6342dc9551d26709032fbd867220919f5cb6fec029028c6198538
SSDEEP

1536:iRvLphwAO2PH1srwmJm21Nj+uK/2TjtcNUpV3EdekEPDJlSgNamvE:ilpOI2wmJm21Nj+5Mjtcwk6lJrvE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	Au_.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe
2380	Au_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001939c-2.dat	nsis_installer_1
behavioral1/files/0x000600000001939c-2.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2380	2588	38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe	30
PID 2588 wrote to memory of 2380	2588	38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe	30
PID 2588 wrote to memory of 2380	2588	38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe	30
PID 2588 wrote to memory of 2380	2588	38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38bfc6e03c57124e73a542cc7fe283d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
  "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjE6BA.tmp\validate.ini

Filesize
457B

MD5
86b4ba1153b1930ee6ee424974759950

SHA1
e109a32c4da6b6f305820c47d71e76637f2e5b9c

SHA256
038615400925833edd3d8ddb02b73be78430b91600f6f89aeb4a10e3d18cf9e4

SHA512
b6ee3c1c62e7c9681e06224165ac2727753dcdd85a095b56edba78f5d6c5ee5d8e7dee01956eb021d23a754393bd0c05081e9c719799e058cad17372c9eed46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjE6BA.tmp\validate.ini

Filesize
509B

MD5
51bdfec6ff5744124d7d5c03faa45b49

SHA1
416bd75aa05797e8871e9e8e1ba66b7397134b6e

SHA256
d9c28ab20e46ba62a3b73a5becfe926760f1ea61f15d5eb289a67ea9c4bd03a5

SHA512
d3a372d43b27efb14fc8962e60cc13dead0fb9f8b05d5d74319008af7969f1fb6f69f217aae681c65ad733614a16e7226223df8c4096666e3c8e137f0e900cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjE6BA.tmp\validate.ini

Filesize
530B

MD5
7b4e290d9b0994a07932d22816ab455e

SHA1
9f9f92115a1ddefcb1805208e929205b9d9a28af

SHA256
aa9b6be9062e951ae942e5334061e67078ce917268c35a037b67520d0649d2fe

SHA512
d24f7493d271d44f56a7d0846ac47d9a4bb13cea3dd8a69dad70ff2868cbcb501600146d994c5dbef0c085c943aa49c9fa1745ac6e75bb366d823e742ae885b4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE6BA.tmp\InstallOptions.dll

Filesize
14KB

MD5
06bef96b91bfa75b7f7817341a6cd597

SHA1
48a40368fc339ccea1dfda06d2e02bca7d7265c1

SHA256
2ca5590c85cc31285b83bbe569755d909d91b559db2d6ce3bca2fcc075225364

SHA512
5364d0944b4be215fb5d8bb8398e965ff6fa3190a962dd6c491984482321756017f89c2242d77ebcce6666c31fe54a956f2eb3a03a95d64121a1db462ad20a0d

Download Submit
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
76KB

MD5
38bfc6e03c57124e73a542cc7fe283d3

SHA1
c9e1da1d148baa20bd560b18ae86a17188051ba9

SHA256
79e25e156a184c099194fd1f142a201e18859d1e6b1e9833c655ce03054e0a9a

SHA512
f0398a7406143ba7666c4006624bc6f3f2ed2257d2e41a724bb788e4027cb62e6b0e8c8004b6342dc9551d26709032fbd867220919f5cb6fec029028c6198538

Download Submit