3b7a59af4ae63146127cb813f39e5310fedb82b3d0d7b6f8ffe0211c441ab536

Analysis

max time kernel
18s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe
Size

16.5MB
MD5

55295fb4033a25836c27c2e9c674f58f
SHA1

c79a09c4185a8bd90857249b4245ae039a1a51bd
SHA256

3b7a59af4ae63146127cb813f39e5310fedb82b3d0d7b6f8ffe0211c441ab536
SHA512

3dec041ca014b736720aff9e8a9a15558867c5024affb7c685d87f74ac10d076fd0319ff70534f6cd637df83427aac2946262444e7ea7ee751e27e5f0d35ad5f
SSDEEP

393216:lVXlIwOBYpWjU2It74yrSJe/JSTSx1KOcy/iIJqPOZsE8I:ztxojYz2J2MQB3qPOZsnI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2672	setup.exe
1460	Setup.exe
1980	Setup.exe

Loads dropped DLL 15 IoCs

pid	Process
2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe
2672	setup.exe
1460	Setup.exe
1460	Setup.exe
1460	Setup.exe
1460	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe
1980	Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setE4F4.tmp	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ispE4F3.tmp\temp.000	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ispE5C1.tmp\temp.000	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKeF83B.tmp	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKeF83B.tmp	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2236 wrote to memory of 2672	2236	55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe	29
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 2672 wrote to memory of 1460	2672	setup.exe	30
PID 1460 wrote to memory of 1980	1460	Setup.exe	31
PID 1460 wrote to memory of 1980	1460	Setup.exe	31
PID 1460 wrote to memory of 1980	1460	Setup.exe	31
PID 1460 wrote to memory of 1980	1460	Setup.exe	31
PID 1460 wrote to memory of 1980	1460	Setup.exe	31
PID 1460 wrote to memory of 1980	1460	Setup.exe	31
PID 1460 wrote to memory of 1980	1460	Setup.exe	31

C:\Users\Admin\AppData\Local\Temp\55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\55295fb4033a25836c27c2e9c674f58f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\Setup.exe
    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\Setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\Setup.exe
      -deleter
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll

Filesize
304KB

MD5
369ecaca6c59265f47d234da8faab871

SHA1
162bf1cb2d201766e4f0fa52dbeddd603eca9a21

SHA256
ad010c642f2bb264c69c153dcde78daa0bbf4699155f22e16641bba82158e7b1

SHA512
3430ccc7c78633c860c29778a0b854d5acf52b65283e88f18cad51796ece59cee1b2b040ffebd50a6ea52d2ce88836a06c136b92d7efc97e75ce8989d7571392

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\data1.hdr

Filesize
17KB

MD5
db86c000785f8562bae66abd056efdb8

SHA1
6c7b7244235b8e95605dc67be753f533053d335d

SHA256
000897a1d86e5298abe30b4ea2f2633e4d2d248394fb4b7b1ecbd254026e4058

SHA512
f56b91e220b683aa0ea29746ae40404e47ddc317769667ae24be6edf169fe79908918008380279a79c80f52dae0c6a25261234a894b8801d8374fd04e0e5bee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\data2.cab

Filesize
512B

MD5
f95364b7ae4c0cc789a048cb794046a7

SHA1
23e1a3392328fdd9664ff0568c4db53f625d538f

SHA256
3d651678bb1066538b47bf24be4124a0e482c862b0166ea67173b6ec02e8b26f

SHA512
420521c175c25a3d29ba58a1ba16160ea73e97c74f1e15d7a6d4efdbd4dfc7e2f37754b6be84bbb5b60260f6cac3c2690e18fa2a136a4540efd99615ce527514

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\setup.ibt

Filesize
425KB

MD5
0fcd29b249c145bab33f24c8341dd0a3

SHA1
375d97a6c23974da0f73db806533bc3205676ec0

SHA256
8af43e8f489b166177d6820783f55d32911baed67378e5542ee0a3e3c51ec4bc

SHA512
57c5c61be9c2105dcc6da9830b527cb0acd83f04faab418df603874a3b682cd33148b3092ad8eb0b9ca91aa011278a5576aac62aa4074ebb4759928892091e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Audio\Setup\setup.ini

Filesize
683B

MD5
76a256045fd04f1a3b6d95ffeccabbd6

SHA1
a670168957ddeb4c53565552226c2ce590462e8c

SHA256
bb8450ed94eb4c4bbed9b9fe3e7bbc863d4c732f206e58abb7a2a03861b68e3c

SHA512
079021c6f198287c1b688741b8ddcbdf9b107cd96f100d77132d0eb726101431a1c7ff641035e8d69e1ef1a07f11f16d92eb817e6238a9a9f4e1cd67f60927f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CTShared\CTRedist\ASFTCV\setup.exe

Filesize
114KB

MD5
cafb55aa463c6df8802122838d50d2bb

SHA1
90054dfba153d69c426723121f2746d2aa18f912

SHA256
c500187ab0bafe03622c8fc4754915ed4cd36f643e691baf21c172c233660cc8

SHA512
e0d064db008543bf0d62ef93e60529393e7e7f1ff121f6e0cb7274a0ec981a3edeeb25cfb0a6564558aa8f6ed2750af39714cea3fd0bf3a5059f165b7a6813cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CTShared\CTRedist\ASFTCV\setup.skn

Filesize
40KB

MD5
80a74317e5617c5f88bb0116fef7f442

SHA1
e82cd59d105f1126948b190f2363baad95881e1d

SHA256
066b519ddcadb23dd5d030f92984b66ac77f38d44d9a3c7582fe00281abddcb7

SHA512
d9e7368ff85a8336d3919f9c61fd581047c3158700f63dc590f8707df58988427a0af7cdea864c5940f60a55613b6363517ecc4a0f4c65a63b246cd58137d3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SCTool\engine32.cab

Filesize
448KB

MD5
de89c44f15d1bfbcca26778af838f720

SHA1
5765184ccb2a2eed633d62abf50507235bb920b0

SHA256
fe5dc5947f277b459cb55877439e74e9bb2fb891cb42b72abc42322a51e8423d

SHA512
8aa8d3c94ec73d89af71461f4188c308f1f7d88af4a37736ac7b8ab1691933a067fe6e11ca58c19e984002faeb3fafb2c3ec28edac198b59b2b0934580de95fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
155B

MD5
d46a93ff9664a349cc1e96b06ee1c3fa

SHA1
93eebbc069bbe853d1c4b194bd54bb88749a62a2

SHA256
a2dc0d468a5f9d4f0eeaf5e46a79dcab284a3580bcdfe0dd35178524607f046b

SHA512
384d23829984568c046efd37aa152e3cd851fd31747b5b39bf1022be54c4307e74bc77761afe7d49938ec4cd4110ffe6c1a2e276e3f797baceeff045d0267026

Download Submit
C:\Users\Admin\AppData\Local\Temp\ispE5C0.tmp\_Setup.dll

Filesize
360KB

MD5
32fa757c64fb62f07f3205016656a0a7

SHA1
78c7d2f00878e2efa591a6e3ac80edab8242473b

SHA256
ff6944c00f11ab10cc9bcbfe4f6f0cbab088b52448904282a695eea56787d82a

SHA512
d87aef916ce072f16b6ca5978a424f2dc648d880241651019e6f21377834fdbba8dd424b002db373888840b358e13122c87e3db51a7bde6cdb1509fe74ac647a

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKeF83B.tmp

Filesize
712KB

MD5
1ea0c41b4f2f0e807700f9a72d99ac05

SHA1
65c693fd17be74d1c8dfeadd591f3c3408ae321c

SHA256
cb29c9091d22a94e1aa72a6f2a83e01013e5148d8dcfba8c90d2cdbd6d9b6e48

SHA512
3f4e80bd8d3808fb76acef835c70cc00503acf38f13d3cec54bbf9cf87343a4c1d148a146fa432ca884eaf3c327e199c17432c91f6d6424fb3c17890255feda3

Download Submit
\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ispE5C1.tmp\IGdi.dll

Filesize
184KB

MD5
298c79ac2f609736788cc7cacdeeef32

SHA1
1cce1dcc23a941e650edfeaa7de59327fa452ba2

SHA256
63671696aa87c0862e6381bc759116cd377c5331ab50ae6d05ba7cd29cf02580

SHA512
29fc496780a4fdac6a8c4af6b737973019e3087b5d3d8fe8625d4ce1de88e437eea0254d8900934846c6519ce0bffbcddfe1aa01cf5736b47dba58f06071fe23

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\setup.exe

Filesize
257KB

MD5
ed5d04e77a9eee553f9dcbc7609b32fe

SHA1
882e2336c79f3e8ae77e6664ad663d822b0e55c4

SHA256
421163097f31b0247c7f9ce6620898c868ff0a7c1a5d60e3bfcd21ddd2116282

SHA512
6ea52bf67eba8d9fa81529737c642dde598c3465fa7a8c5a05659f7e33299fe5e8a5ab6852695892aedb112b0318f86dd4c949601a66f3f7918ca3ec752b6c9d

Download Submit