Overview
overview
7Static
static
3662d135b8f...18.exe
windows7-x64
7662d135b8f...18.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ar.exe
windows7-x64
7$PLUGINSDI...ar.exe
windows10-2004-x64
7content/yt...log.js
windows7-x64
3content/yt...log.js
windows10-2004-x64
3content/yt...ons.js
windows7-x64
3content/yt...ons.js
windows10-2004-x64
3content/yt...eio.js
windows7-x64
3content/yt...eio.js
windows10-2004-x64
3content/yt...als.js
windows7-x64
3content/yt...als.js
windows10-2004-x64
3content/yt...ory.js
windows7-x64
3content/yt...ory.js
windows10-2004-x64
3content/yt...18n.js
windows7-x64
3content/yt...18n.js
windows10-2004-x64
3content/yt...les.js
windows7-x64
3content/yt...les.js
windows10-2004-x64
3content/yt...ork.js
windows7-x64
3content/yt...ork.js
windows10-2004-x64
3content/yt...ons.js
windows7-x64
3content/yt...ons.js
windows10-2004-x64
3content/yt...age.js
windows7-x64
3content/yt...age.js
windows10-2004-x64
3content/yt...der.js
windows7-x64
3content/yt...der.js
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 08:42
Static task
static1
Behavioral task
behavioral1
Sample
662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ConnectionTester.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ConnectionTester.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/y_toolbar.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/y_toolbar.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
content/ytoolbar/dialog.js
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
content/ytoolbar/dialog.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
content/ytoolbar/feedFunctions.js
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
content/ytoolbar/feedFunctions.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
content/ytoolbar/fileio.js
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
content/ytoolbar/fileio.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
content/ytoolbar/globals.js
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
content/ytoolbar/globals.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
content/ytoolbar/history.js
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
content/ytoolbar/history.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
content/ytoolbar/i18n.js
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
content/ytoolbar/i18n.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
content/ytoolbar/installerVariables.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
content/ytoolbar/installerVariables.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
content/ytoolbar/network.js
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
content/ytoolbar/network.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
content/ytoolbar/options.js
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
content/ytoolbar/options.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
content/ytoolbar/setHomepage.js
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
content/ytoolbar/setHomepage.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
content/ytoolbar/toolbarBuilder.js
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
content/ytoolbar/toolbarBuilder.js
Resource
win10v2004-20241007-en
General
-
Target
662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe
-
Size
6.3MB
-
MD5
662d135b8fd1bce690264eec52cc5ea5
-
SHA1
4b3c3ad316b8c1bb5fb91a435513f47db737156c
-
SHA256
6e058ce4dc4d3a35811341392350c57700c10754e737daecce149f5ad17cf4f6
-
SHA512
ae870ebd55ddf991f7c146e2dd2445ba63bc3664927e091fb1a4eac1f3f96cb6c92107f5cb35995fb4438f8c8c899dd1c2f5ce4925fac7a9fb2219e4df034a6e
-
SSDEEP
196608:GzrjCrsnoZ2dMofpaaN6LaELMYxVBkrEoE4ClBlIGNK:GrCsi2takKMYxVBFp4esGN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation ydetect.exe -
Executes dropped EXE 2 IoCs
pid Process 2764 DivXConnectionTester.exe 2696 ydetect.exe -
Loads dropped DLL 21 IoCs
pid Process 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 2764 DivXConnectionTester.exe 2764 DivXConnectionTester.exe 2764 DivXConnectionTester.exe 2696 ydetect.exe 2696 ydetect.exe 2696 ydetect.exe 2696 ydetect.exe 2696 ydetect.exe 2696 ydetect.exe 2764 DivXConnectionTester.exe 2764 DivXConnectionTester.exe 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DivXConnectionTester.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ydetect.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x0006000000016d11-41.dat nsis_installer_1 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 2764 DivXConnectionTester.exe Token: SeBackupPrivilege 2764 DivXConnectionTester.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2764 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 28 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29 PID 1120 wrote to memory of 2696 1120 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe"C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe"C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe" /yallowjp /ytffver=1.4.12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dd6ce8d313ef7f0673f5072d88650a4
SHA1c2fcd1bf23addee746862e366e21a9d1f9dcc3c8
SHA256b91daf80c850ad247207d7cf0a1a480327a3fa5c63d62a554e38e8e6914e63ab
SHA5128b6b5527a331268821f343f7cdb74612203643af2745b2fd7338645b23ae33e92120320358d09a0d125ab99b98c4bebd48cc556cd77d39244cd407845968e1c2
-
Filesize
80KB
MD5d1b411fc28aa7839bb236febc0950c96
SHA158c65d6501c16cb57cc7254d4292e6fd9deba2bb
SHA256d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b
SHA512be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee
-
Filesize
13KB
MD59b2bdf058d377da28704af9ca3ef1142
SHA10fc0d7fbc4c3a65eec33d9577ed38e545b3cc04b
SHA25692f34db47c34d6867e6928d4a9cd27747ff642392c0e361f9cab2f5d8c4df300
SHA512ba0c2a312732832874642f6ca8d3b5aa4274da5cbb3a09d990b442becdf9a1abb98c61c5cbbb55f6a5341d2997388d01f93f69e4946e923a1892c7621775b93f
-
Filesize
64KB
MD5472f68bb5ba2cc581a9dc320c864f84c
SHA1245c09e194c6b4899314d9c6b041153b33f26ca7
SHA256f4d0fe1ee43fed2df0fc1156f959b62d8963d63f11afd7cef801c62b617e9a84
SHA5127fc6c06fdf0e2aeffb0a2effd61839e6b3abe1dda808329bd59e5e72621f6c61bfd8d71f2b1c95f072626e0d2bfe0d8c60425096359f74e846950bc38a5fae9a
-
Filesize
10KB
MD5ed228603bf5d6ba382b59274dba35a0a
SHA1037d40e0399902b5119d48995dfd2e96bc6de9a4
SHA256a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37
SHA5129dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9
-
Filesize
47KB
MD54926b97e0cfc4edbda0ef962624e27a6
SHA1fdc9e0d5fd03f72dda1ac58cd7e4fb211e47317b
SHA25612d70ee985fb5a7ea790d88ae3b5df3f5c1f39b54544c91ea715b0bb053dcd51
SHA512acd29b3aa9e220d7d7f893c5c18b08a7517614b0a6228c0b44ebf31d3cfbf74b76894abb5a4cbbb3db540db3e1972eef8f4ba9b3b78f179ef6d6b18e64c4145d
-
Filesize
9KB
MD56621d1f4e191c018a0d8abb5c610d1aa
SHA1c3af35a5df9361e2805bd84d3e3144e0b9c44d5b
SHA256d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5
SHA5126029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5
-
Filesize
92KB
MD5c0d23f9dd2f29b0ab20f2005b29b6a12
SHA1412b1ff53c9d5d390d344787541450e091ea502b
SHA256fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6
SHA51275986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744