Overview
overview
7Static
static
54500b5e270...18.exe
windows7-x64
74500b5e270...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDIR/nsis.exe
windows7-x64
5$PLUGINSDIR/nsis.exe
windows10-2004-x64
5GinoPlayer.exe
windows7-x64
6GinoPlayer.exe
windows10-2004-x64
6Interop.WMPLib.dll
windows7-x64
1Interop.WMPLib.dll
windows10-2004-x64
1Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3launcher.exe
windows7-x64
3launcher.exe
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 00:48
Behavioral task
behavioral1
Sample
4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsis.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsis.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GinoPlayer.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
GinoPlayer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Interop.WMPLib.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Interop.WMPLib.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
launcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
launcher.exe
Resource
win10v2004-20241007-en
General
-
Target
4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
-
Size
958KB
-
MD5
4500b5e2709a64dd32071bd7ef49a6de
-
SHA1
e2a5ab81f41287fc72436e8fc65115079c0d0cbd
-
SHA256
aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545
-
SHA512
1cfde5da9ad9ead0981968e7b07794eb5c8deb310076a1cbc0fd1c473c9486d3bf3762c8619d3b856f0675240ab18f7c8d7eb3628f655921b36e4426b2b968e1
-
SSDEEP
24576:OHOCbQv8QJsX6YSsYNOkeS3PCXVAiEOiYt:8O4q83K/jhfe4O/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2644 nsis.exe -
Loads dropped DLL 7 IoCs
pid Process 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/files/0x00070000000170b5-87.dat upx behavioral1/memory/1924-82-0x0000000002F30000-0x0000000003071000-memory.dmp upx behavioral1/memory/2644-88-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/1924-93-0x0000000002F30000-0x0000000003071000-memory.dmp upx behavioral1/memory/2644-183-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral1/memory/2644-184-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\GinoPlayer\Uninstall.exe 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\GinoPlayer.exe 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\Interop.WMPLib.dll 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\uninstall.ico 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\launcher.exe 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\ping.txt 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsis.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x00060000000197c1-105.dat nsis_installer_1 behavioral1/files/0x00060000000197c1-105.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2644 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 31 PID 1924 wrote to memory of 2644 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 31 PID 1924 wrote to memory of 2644 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 31 PID 1924 wrote to memory of 2644 1924 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\nsis.exe"C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\nsis.exe" /hwnd=262388 /saff="ginoplayer_11730" /landing="0" /Path="C:\Users\Admin\AppData\Local\Temp\nsjB02E.tmp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550B
MD5abf748382f91ee8e10b025e7c7451f5e
SHA125ccf988a83e2d6986f1d76b5662c56086b18df2
SHA256fe99540da29f4cddb27bb97516a9451a642619b4ba89b4da1346c41407b6b9b9
SHA512df490bb9377fcf7b79269a7852c75ff3eeccf295f65fb163ecc10ff7fa08722063582819f921410e7befc8083caefc9dac11bcd3f54e0afff6c101b0ba437dda
-
Filesize
727B
MD5e53a5c74197edbccc455e76fa2ab748f
SHA120da6902cff7aa922170594935f0a4b6c613fc7c
SHA256c4f6a28ba97b9986b0f97d98b27bcc0a951e58b38d14faf3ec6c053cab5110dd
SHA512facac522a64b147e4d7e7cb6f24bc1ea88ab3b3909ad9ae253c899173b7f46dba44cbe13fc3b99baef82f9963c58d17f333448a612a3c577f61d88542dd3f6d0
-
Filesize
688B
MD5497c0538fdfd5d6b4eb1af93b65ce3bb
SHA14dc458b0e4aaaf4a429fcf6a6c613ad15653c019
SHA256278c794f27561fe84238775aab2fed7e66586cfed24f2b2f5f7c2bdd1ac94eb2
SHA512f9f7787da7933697a6825a3b6b421b28f55b4773ed50914ad2e58cdc404d77005665c4ab00a5b2fe7371a394a18e839cf4dec2fde8ee5fac6111859d20a206fc
-
Filesize
448KB
MD57b99f808968d538c99962640c85742ac
SHA1717ba7eeb1bd3846d3c9bfecd184a185fc3da1c1
SHA256f738ffbedeca142ca69d6f3263183328787bdcc054dea0340d2595367de98997
SHA512845299374d069a8c97d0f182e06c17e1c594242cf23981b6a244167228f2c265401ab023b9458988cc810638cb28f886a006d3abd264e70ec92570397d2e50bc
-
Filesize
77KB
MD5ff11f586d42a888469164063c399d917
SHA1b3feded2344ea9a22035f628a441883c6216bf3e
SHA256869c31354b5c3f1c7586fec5c51270a606ca5210d4ea9df4a078a1d7bc62112e
SHA512573c35c9f066a2fbfba29d1cee5157b0d518d62210beb088d8c5380d43da4ee749a215ff76531e9ff59161a6449bdb44e3e0ee2ec4b18e03e0d36cbb131cbc86
-
Filesize
550KB
MD59b83990fce13716ad79131772b15c915
SHA1989dfc018c35a0242523c722da6fa881aa9f2678
SHA2565b2338071972a864622a36a4452d218d70f1c80024c6f7d84e1c5aa590efd5d1
SHA512e3ae253c7f9c3bdefe0965af1a788f26025c0994c2bcf76ed7c4048dad648b383bf245bd2854c90c40dd6f453868f9dec2b86cce8414dcfd00c61c898ace1c38
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977