Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 09:02

General

  • Target

    663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe

  • Size

    102KB

  • MD5

    663b10f67ea3b87b9a8915288b24fa62

  • SHA1

    bab3c8dff02f1852d26c92682cf2222b5bfa3fb6

  • SHA256

    e801e07eadaf67a4c9a2d0bc21b9cbc1b5e4658fb8aead69943c8852a929a4b8

  • SHA512

    0568c4e621ca272a439ed154e19c2b93abe1cbd68400f24847594ddc651fee0b63ab223caf94a56c907261bd8fe69233db21a2deb23a527bf3f5fb3800c6d422

  • SSDEEP

    1536:97ANUHtHV6AWzwfFJUPfT4t3kUYp+djPw6R9TokKMdrcUPiegxDrXgOR2Ev3kDzt:9TvfTzcTsw6RqrMdrPKegtwOR2s3OB

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\GOPlayer.exe
      C:\Users\Admin\AppData\Local\Temp\GOPlayer.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 488
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2128

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GOPlayer.exe

          Filesize

          21KB

          MD5

          0d024fee646aea779047754218882343

          SHA1

          53521fbbb1daffe37cd9bd7cc7b58b31ba4e59e0

          SHA256

          0cab776450fab0f726931ae50dceffda054e134b347a9abe02f85e7269b3d77e

          SHA512

          dff02e82f8c2da000be605e94be126edbd6bc72f1cda7a76a625015b82880df28401a1e283f4ad55eda4c5be19667427502ddd004ba979b9f3d8c4c1f56ff511

        • \Program Files (x86)\GOPlayer\Uninstall.exe

          Filesize

          66KB

          MD5

          bff0fdb86add7fcf61bd450da04a9a83

          SHA1

          9d564865bf2f054eba4d5d6c2c5f23c179666ca6

          SHA256

          f46a2ee6c8d71d8fb4b4d11c0ffa95276fb0185bbcfbf2875c71ac6b647ff213

          SHA512

          deca12d4026de2129897486b67700150f8525bdeb7db2cc756c99b2f2233c75a2d4043de575b2940ece8a98c2881a46de89d19279f585981b202a7bd307be0b8

        • \Users\Admin\AppData\Local\Temp\nso35C2.tmp\StartMenu.dll

          Filesize

          9KB

          MD5

          0a58a89b32428fb848099f33e814e3ed

          SHA1

          661b73c3ff3579eb9d0c482af7354ee0461634a9

          SHA256

          aba4f462067f8c872d84c4c1ad6eaccf8bb6546c67c011964f8d2b62170f8236

          SHA512

          1f4efa7183670f9e9bcf1be56b3165393a97da29080bf1353358933f0f2e0544706982059a9408639782163f4f05bc9d38fca9be110f7d3058f2b0e0017e8dc5

        • memory/2668-22-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2668-34-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2668-35-0x000000006D040000-0x000000006D04A000-memory.dmp

          Filesize

          40KB

        • memory/2776-15-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2776-16-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/2776-14-0x0000000000401000-0x0000000000403000-memory.dmp

          Filesize

          8KB