aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Size

958KB
MD5

4500b5e2709a64dd32071bd7ef49a6de
SHA1

e2a5ab81f41287fc72436e8fc65115079c0d0cbd
SHA256

aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545
SHA512

1cfde5da9ad9ead0981968e7b07794eb5c8deb310076a1cbc0fd1c473c9486d3bf3762c8619d3b856f0675240ab18f7c8d7eb3628f655921b36e4426b2b968e1
SSDEEP

24576:OHOCbQv8QJsX6YSsYNOkeS3PCXVAiEOiYt:8O4q83K/jhfe4O/

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	nsis.exe

Loads dropped DLL 7 IoCs

pid	Process
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000170b5-87.dat	upx
behavioral1/memory/1924-82-0x0000000002F30000-0x0000000003071000-memory.dmp	upx
behavioral1/memory/2644-88-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/1924-93-0x0000000002F30000-0x0000000003071000-memory.dmp	upx
behavioral1/memory/2644-183-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2644-184-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GinoPlayer\Uninstall.exe	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\GinoPlayer.exe	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\Interop.WMPLib.dll	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\uninstall.ico	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\launcher.exe	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\ping.txt	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsis.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000197c1-105.dat	nsis_installer_1
behavioral1/files/0x00060000000197c1-105.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2644	1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	31
PID 1924 wrote to memory of 2644	1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	31
PID 1924 wrote to memory of 2644	1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	31
PID 1924 wrote to memory of 2644	1924	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\nsis.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\nsis.exe" /hwnd=262388 /saff="ginoplayer_11730" /landing="0" /Path="C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\ioSpecial.ini

Filesize
550B

MD5
abf748382f91ee8e10b025e7c7451f5e

SHA1
25ccf988a83e2d6986f1d76b5662c56086b18df2

SHA256
fe99540da29f4cddb27bb97516a9451a642619b4ba89b4da1346c41407b6b9b9

SHA512
df490bb9377fcf7b79269a7852c75ff3eeccf295f65fb163ecc10ff7fa08722063582819f921410e7befc8083caefc9dac11bcd3f54e0afff6c101b0ba437dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\ioSpecial.ini

Filesize
727B

MD5
e53a5c74197edbccc455e76fa2ab748f

SHA1
20da6902cff7aa922170594935f0a4b6c613fc7c

SHA256
c4f6a28ba97b9986b0f97d98b27bcc0a951e58b38d14faf3ec6c053cab5110dd

SHA512
facac522a64b147e4d7e7cb6f24bc1ea88ab3b3909ad9ae253c899173b7f46dba44cbe13fc3b99baef82f9963c58d17f333448a612a3c577f61d88542dd3f6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\ioSpecial.ini

Filesize
688B

MD5
497c0538fdfd5d6b4eb1af93b65ce3bb

SHA1
4dc458b0e4aaaf4a429fcf6a6c613ad15653c019

SHA256
278c794f27561fe84238775aab2fed7e66586cfed24f2b2f5f7c2bdd1ac94eb2

SHA512
f9f7787da7933697a6825a3b6b421b28f55b4773ed50914ad2e58cdc404d77005665c4ab00a5b2fe7371a394a18e839cf4dec2fde8ee5fac6111859d20a206fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\nsis.exe

Filesize
448KB

MD5
7b99f808968d538c99962640c85742ac

SHA1
717ba7eeb1bd3846d3c9bfecd184a185fc3da1c1

SHA256
f738ffbedeca142ca69d6f3263183328787bdcc054dea0340d2595367de98997

SHA512
845299374d069a8c97d0f182e06c17e1c594242cf23981b6a244167228f2c265401ab023b9458988cc810638cb28f886a006d3abd264e70ec92570397d2e50bc

Download Submit
\Program Files (x86)\GinoPlayer\Uninstall.exe

Filesize
77KB

MD5
ff11f586d42a888469164063c399d917

SHA1
b3feded2344ea9a22035f628a441883c6216bf3e

SHA256
869c31354b5c3f1c7586fec5c51270a606ca5210d4ea9df4a078a1d7bc62112e

SHA512
573c35c9f066a2fbfba29d1cee5157b0d518d62210beb088d8c5380d43da4ee749a215ff76531e9ff59161a6449bdb44e3e0ee2ec4b18e03e0d36cbb131cbc86

Download Submit
\Program Files (x86)\GinoPlayer\launcher.exe

Filesize
550KB

MD5
9b83990fce13716ad79131772b15c915

SHA1
989dfc018c35a0242523c722da6fa881aa9f2678

SHA256
5b2338071972a864622a36a4452d218d70f1c80024c6f7d84e1c5aa590efd5d1

SHA512
e3ae253c7f9c3bdefe0965af1a788f26025c0994c2bcf76ed7c4048dad648b383bf245bd2854c90c40dd6f453868f9dec2b86cce8414dcfd00c61c898ace1c38

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
memory/1924-86-0x0000000002F30000-0x0000000003071000-memory.dmp

Filesize
1.3MB

Download
memory/1924-93-0x0000000002F30000-0x0000000003071000-memory.dmp

Filesize
1.3MB

Download
memory/1924-82-0x0000000002F30000-0x0000000003071000-memory.dmp

Filesize
1.3MB

Download
memory/2644-89-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2644-88-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2644-183-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2644-185-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2644-184-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download