Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 08:42

General

  • Target

    662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe

  • Size

    6.3MB

  • MD5

    662d135b8fd1bce690264eec52cc5ea5

  • SHA1

    4b3c3ad316b8c1bb5fb91a435513f47db737156c

  • SHA256

    6e058ce4dc4d3a35811341392350c57700c10754e737daecce149f5ad17cf4f6

  • SHA512

    ae870ebd55ddf991f7c146e2dd2445ba63bc3664927e091fb1a4eac1f3f96cb6c92107f5cb35995fb4438f8c8c899dd1c2f5ce4925fac7a9fb2219e4df034a6e

  • SSDEEP

    196608:GzrjCrsnoZ2dMofpaaN6LaELMYxVBkrEoE4ClBlIGNK:GrCsi2takKMYxVBFp4esGN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
      "C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe" /yallowjp /ytffver=1.4.1
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\divx-bundle-updater.ini

          Filesize

          1KB

          MD5

          7dd6ce8d313ef7f0673f5072d88650a4

          SHA1

          c2fcd1bf23addee746862e366e21a9d1f9dcc3c8

          SHA256

          b91daf80c850ad247207d7cf0a1a480327a3fa5c63d62a554e38e8e6914e63ab

          SHA512

          8b6b5527a331268821f343f7cdb74612203643af2745b2fd7338645b23ae33e92120320358d09a0d125ab99b98c4bebd48cc556cd77d39244cd407845968e1c2

        • \Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe

          Filesize

          80KB

          MD5

          d1b411fc28aa7839bb236febc0950c96

          SHA1

          58c65d6501c16cb57cc7254d4292e6fd9deba2bb

          SHA256

          d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b

          SHA512

          be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee

        • \Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\InstallOptions.dll

          Filesize

          13KB

          MD5

          9b2bdf058d377da28704af9ca3ef1142

          SHA1

          0fc0d7fbc4c3a65eec33d9577ed38e545b3cc04b

          SHA256

          92f34db47c34d6867e6928d4a9cd27747ff642392c0e361f9cab2f5d8c4df300

          SHA512

          ba0c2a312732832874642f6ca8d3b5aa4274da5cbb3a09d990b442becdf9a1abb98c61c5cbbb55f6a5341d2997388d01f93f69e4946e923a1892c7621775b93f

        • \Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\PCloser.dll

          Filesize

          64KB

          MD5

          472f68bb5ba2cc581a9dc320c864f84c

          SHA1

          245c09e194c6b4899314d9c6b041153b33f26ca7

          SHA256

          f4d0fe1ee43fed2df0fc1156f959b62d8963d63f11afd7cef801c62b617e9a84

          SHA512

          7fc6c06fdf0e2aeffb0a2effd61839e6b3abe1dda808329bd59e5e72621f6c61bfd8d71f2b1c95f072626e0d2bfe0d8c60425096359f74e846950bc38a5fae9a

        • \Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\System.dll

          Filesize

          10KB

          MD5

          ed228603bf5d6ba382b59274dba35a0a

          SHA1

          037d40e0399902b5119d48995dfd2e96bc6de9a4

          SHA256

          a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37

          SHA512

          9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

        • \Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe

          Filesize

          47KB

          MD5

          4926b97e0cfc4edbda0ef962624e27a6

          SHA1

          fdc9e0d5fd03f72dda1ac58cd7e4fb211e47317b

          SHA256

          12d70ee985fb5a7ea790d88ae3b5df3f5c1f39b54544c91ea715b0bb053dcd51

          SHA512

          acd29b3aa9e220d7d7f893c5c18b08a7517614b0a6228c0b44ebf31d3cfbf74b76894abb5a4cbbb3db540db3e1972eef8f4ba9b3b78f179ef6d6b18e64c4145d

        • \Users\Admin\AppData\Local\Temp\nsi511D.tmp\System.dll

          Filesize

          9KB

          MD5

          6621d1f4e191c018a0d8abb5c610d1aa

          SHA1

          c3af35a5df9361e2805bd84d3e3144e0b9c44d5b

          SHA256

          d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5

          SHA512

          6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5

        • \Users\Admin\AppData\Local\Temp\nso513D.tmp\ConnectionTester.dll

          Filesize

          92KB

          MD5

          c0d23f9dd2f29b0ab20f2005b29b6a12

          SHA1

          412b1ff53c9d5d390d344787541450e091ea502b

          SHA256

          fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6

          SHA512

          75986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744

        • memory/1120-25-0x00000000003E0000-0x00000000003F1000-memory.dmp

          Filesize

          68KB

        • memory/2764-100-0x0000000001E10000-0x0000000001E29000-memory.dmp

          Filesize

          100KB