aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Size

958KB
MD5

4500b5e2709a64dd32071bd7ef49a6de
SHA1

e2a5ab81f41287fc72436e8fc65115079c0d0cbd
SHA256

aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545
SHA512

1cfde5da9ad9ead0981968e7b07794eb5c8deb310076a1cbc0fd1c473c9486d3bf3762c8619d3b856f0675240ab18f7c8d7eb3628f655921b36e4426b2b968e1
SSDEEP

24576:OHOCbQv8QJsX6YSsYNOkeS3PCXVAiEOiYt:8O4q83K/jhfe4O/

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
876	nsis.exe

Loads dropped DLL 3 IoCs

pid	Process
2664	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
2664	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
2664	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c6d-80.dat	upx
behavioral2/memory/876-82-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/876-175-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral2/memory/876-176-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GinoPlayer\uninstall.ico	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\launcher.exe	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\ping.txt	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\Uninstall.exe	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\GinoPlayer.exe	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
File created	C:\Program Files (x86)\GinoPlayer\Interop.WMPLib.dll	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsis.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 876	2664	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	93
PID 2664 wrote to memory of 876	2664	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	93
PID 2664 wrote to memory of 876	2664	4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe" /hwnd=1179728 /saff="ginoplayer_11730" /landing="0" /Path="C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GinoPlayer\launcher.exe

Filesize
550KB

MD5
9b83990fce13716ad79131772b15c915

SHA1
989dfc018c35a0242523c722da6fa881aa9f2678

SHA256
5b2338071972a864622a36a4452d218d70f1c80024c6f7d84e1c5aa590efd5d1

SHA512
e3ae253c7f9c3bdefe0965af1a788f26025c0994c2bcf76ed7c4048dad648b383bf245bd2854c90c40dd6f453868f9dec2b86cce8414dcfd00c61c898ace1c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\ioSpecial.ini

Filesize
550B

MD5
262bdc8330205fa6058b135f565fb0c9

SHA1
6fa1c19f819d865a92ede9a294de81c4c8f46d02

SHA256
bcffa014a7919cbb1cd599f4a8e7ee46587f39769768e04d0e20c5b7703ea6b0

SHA512
7564a29535e2001b078250f948e850e09e68dcae55e6756d39f127d03001774601de2e4db1e9e96707ae43cebee77485f638cf6045274192f3d4816d0f59d8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\ioSpecial.ini

Filesize
688B

MD5
03820b6d29ecaaba53821b2cbbbd2a5a

SHA1
88e70d81313f32bcd374776ba82ed2cfa3248868

SHA256
3ffd6d463b8d140104f0364e0af81e5dd44e3068087dfd29aea28e970eb6f437

SHA512
e7567f99d9cf0ad78fabbfb3e347ec5a43f0a131ffab91598616f97d305dc2b6e1bb307df68de3368b80d224fdd888e63ad235e02dd325a2a9194902af734df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe

Filesize
448KB

MD5
7b99f808968d538c99962640c85742ac

SHA1
717ba7eeb1bd3846d3c9bfecd184a185fc3da1c1

SHA256
f738ffbedeca142ca69d6f3263183328787bdcc054dea0340d2595367de98997

SHA512
845299374d069a8c97d0f182e06c17e1c594242cf23981b6a244167228f2c265401ab023b9458988cc810638cb28f886a006d3abd264e70ec92570397d2e50bc

Download Submit
memory/876-82-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/876-83-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/876-175-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/876-177-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/876-176-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download