Overview
overview
7Static
static
54500b5e270...18.exe
windows7-x64
74500b5e270...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDIR/nsis.exe
windows7-x64
5$PLUGINSDIR/nsis.exe
windows10-2004-x64
5GinoPlayer.exe
windows7-x64
6GinoPlayer.exe
windows10-2004-x64
6Interop.WMPLib.dll
windows7-x64
1Interop.WMPLib.dll
windows10-2004-x64
1Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3launcher.exe
windows7-x64
3launcher.exe
windows10-2004-x64
3Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 00:48
Behavioral task
behavioral1
Sample
4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsis.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsis.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GinoPlayer.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
GinoPlayer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Interop.WMPLib.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Interop.WMPLib.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Uninstall.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
launcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
launcher.exe
Resource
win10v2004-20241007-en
General
-
Target
4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
-
Size
958KB
-
MD5
4500b5e2709a64dd32071bd7ef49a6de
-
SHA1
e2a5ab81f41287fc72436e8fc65115079c0d0cbd
-
SHA256
aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545
-
SHA512
1cfde5da9ad9ead0981968e7b07794eb5c8deb310076a1cbc0fd1c473c9486d3bf3762c8619d3b856f0675240ab18f7c8d7eb3628f655921b36e4426b2b968e1
-
SSDEEP
24576:OHOCbQv8QJsX6YSsYNOkeS3PCXVAiEOiYt:8O4q83K/jhfe4O/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 876 nsis.exe -
Loads dropped DLL 3 IoCs
pid Process 2664 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 2664 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 2664 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral2/files/0x0008000000023c6d-80.dat upx behavioral2/memory/876-82-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/876-175-0x0000000000400000-0x0000000000541000-memory.dmp upx behavioral2/memory/876-176-0x0000000000400000-0x0000000000541000-memory.dmp upx -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\GinoPlayer\uninstall.ico 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\launcher.exe 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\ping.txt 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\Uninstall.exe 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\GinoPlayer.exe 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe File created C:\Program Files (x86)\GinoPlayer\Interop.WMPLib.dll 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsis.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2664 wrote to memory of 876 2664 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 93 PID 2664 wrote to memory of 876 2664 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 93 PID 2664 wrote to memory of 876 2664 4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe"C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe" /hwnd=1179728 /saff="ginoplayer_11730" /landing="0" /Path="C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD59b83990fce13716ad79131772b15c915
SHA1989dfc018c35a0242523c722da6fa881aa9f2678
SHA2565b2338071972a864622a36a4452d218d70f1c80024c6f7d84e1c5aa590efd5d1
SHA512e3ae253c7f9c3bdefe0965af1a788f26025c0994c2bcf76ed7c4048dad648b383bf245bd2854c90c40dd6f453868f9dec2b86cce8414dcfd00c61c898ace1c38
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
550B
MD5262bdc8330205fa6058b135f565fb0c9
SHA16fa1c19f819d865a92ede9a294de81c4c8f46d02
SHA256bcffa014a7919cbb1cd599f4a8e7ee46587f39769768e04d0e20c5b7703ea6b0
SHA5127564a29535e2001b078250f948e850e09e68dcae55e6756d39f127d03001774601de2e4db1e9e96707ae43cebee77485f638cf6045274192f3d4816d0f59d8a0
-
Filesize
688B
MD503820b6d29ecaaba53821b2cbbbd2a5a
SHA188e70d81313f32bcd374776ba82ed2cfa3248868
SHA2563ffd6d463b8d140104f0364e0af81e5dd44e3068087dfd29aea28e970eb6f437
SHA512e7567f99d9cf0ad78fabbfb3e347ec5a43f0a131ffab91598616f97d305dc2b6e1bb307df68de3368b80d224fdd888e63ad235e02dd325a2a9194902af734df1
-
Filesize
448KB
MD57b99f808968d538c99962640c85742ac
SHA1717ba7eeb1bd3846d3c9bfecd184a185fc3da1c1
SHA256f738ffbedeca142ca69d6f3263183328787bdcc054dea0340d2595367de98997
SHA512845299374d069a8c97d0f182e06c17e1c594242cf23981b6a244167228f2c265401ab023b9458988cc810638cb28f886a006d3abd264e70ec92570397d2e50bc