Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 00:48

General

  • Target

    4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe

  • Size

    958KB

  • MD5

    4500b5e2709a64dd32071bd7ef49a6de

  • SHA1

    e2a5ab81f41287fc72436e8fc65115079c0d0cbd

  • SHA256

    aebd5eb2e18bb475e1a19dcd96229ad9c0be201e9acc107a4d37131ed7aa0545

  • SHA512

    1cfde5da9ad9ead0981968e7b07794eb5c8deb310076a1cbc0fd1c473c9486d3bf3762c8619d3b856f0675240ab18f7c8d7eb3628f655921b36e4426b2b968e1

  • SSDEEP

    24576:OHOCbQv8QJsX6YSsYNOkeS3PCXVAiEOiYt:8O4q83K/jhfe4O/

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4500b5e2709a64dd32071bd7ef49a6de_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe
      "C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe" /hwnd=1179728 /saff="ginoplayer_11730" /landing="0" /Path="C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GinoPlayer\launcher.exe

    Filesize

    550KB

    MD5

    9b83990fce13716ad79131772b15c915

    SHA1

    989dfc018c35a0242523c722da6fa881aa9f2678

    SHA256

    5b2338071972a864622a36a4452d218d70f1c80024c6f7d84e1c5aa590efd5d1

    SHA512

    e3ae253c7f9c3bdefe0965af1a788f26025c0994c2bcf76ed7c4048dad648b383bf245bd2854c90c40dd6f453868f9dec2b86cce8414dcfd00c61c898ace1c38

  • C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\InstallOptions.dll

    Filesize

    14KB

    MD5

    325b008aec81e5aaa57096f05d4212b5

    SHA1

    27a2d89747a20305b6518438eff5b9f57f7df5c3

    SHA256

    c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

    SHA512

    18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

  • C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\NSISdl.dll

    Filesize

    14KB

    MD5

    a5f8399a743ab7f9c88c645c35b1ebb5

    SHA1

    168f3c158913b0367bf79fa413357fbe97018191

    SHA256

    dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

    SHA512

    824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

  • C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\ioSpecial.ini

    Filesize

    550B

    MD5

    262bdc8330205fa6058b135f565fb0c9

    SHA1

    6fa1c19f819d865a92ede9a294de81c4c8f46d02

    SHA256

    bcffa014a7919cbb1cd599f4a8e7ee46587f39769768e04d0e20c5b7703ea6b0

    SHA512

    7564a29535e2001b078250f948e850e09e68dcae55e6756d39f127d03001774601de2e4db1e9e96707ae43cebee77485f638cf6045274192f3d4816d0f59d8a0

  • C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\ioSpecial.ini

    Filesize

    688B

    MD5

    03820b6d29ecaaba53821b2cbbbd2a5a

    SHA1

    88e70d81313f32bcd374776ba82ed2cfa3248868

    SHA256

    3ffd6d463b8d140104f0364e0af81e5dd44e3068087dfd29aea28e970eb6f437

    SHA512

    e7567f99d9cf0ad78fabbfb3e347ec5a43f0a131ffab91598616f97d305dc2b6e1bb307df68de3368b80d224fdd888e63ad235e02dd325a2a9194902af734df1

  • C:\Users\Admin\AppData\Local\Temp\nsd8FAE.tmp\nsis.exe

    Filesize

    448KB

    MD5

    7b99f808968d538c99962640c85742ac

    SHA1

    717ba7eeb1bd3846d3c9bfecd184a185fc3da1c1

    SHA256

    f738ffbedeca142ca69d6f3263183328787bdcc054dea0340d2595367de98997

    SHA512

    845299374d069a8c97d0f182e06c17e1c594242cf23981b6a244167228f2c265401ab023b9458988cc810638cb28f886a006d3abd264e70ec92570397d2e50bc

  • memory/876-82-0x0000000000400000-0x0000000000541000-memory.dmp

    Filesize

    1.3MB

  • memory/876-83-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

  • memory/876-175-0x0000000000400000-0x0000000000541000-memory.dmp

    Filesize

    1.3MB

  • memory/876-177-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

  • memory/876-176-0x0000000000400000-0x0000000000541000-memory.dmp

    Filesize

    1.3MB