Overview
overview
8Static
static
3663b10f67e...18.exe
windows7-x64
7663b10f67e...18.exe
windows10-2004-x64
8$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$TEMP/GOPlayer.exe
windows7-x64
7$TEMP/GOPlayer.exe
windows10-2004-x64
8Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/GOPlayer.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$TEMP/GOPlayer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Uninstall.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
General
-
Target
663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe
-
Size
102KB
-
MD5
663b10f67ea3b87b9a8915288b24fa62
-
SHA1
bab3c8dff02f1852d26c92682cf2222b5bfa3fb6
-
SHA256
e801e07eadaf67a4c9a2d0bc21b9cbc1b5e4658fb8aead69943c8852a929a4b8
-
SHA512
0568c4e621ca272a439ed154e19c2b93abe1cbd68400f24847594ddc651fee0b63ab223caf94a56c907261bd8fe69233db21a2deb23a527bf3f5fb3800c6d422
-
SSDEEP
1536:97ANUHtHV6AWzwfFJUPfT4t3kUYp+djPw6R9TokKMdrcUPiegxDrXgOR2Ev3kDzt:9TvfTzcTsw6RqrMdrPKegtwOR2s3OB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 GOPlayer.exe -
Loads dropped DLL 11 IoCs
pid Process 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 2776 GOPlayer.exe 2776 GOPlayer.exe 2776 GOPlayer.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\GOPlayer\Uninstall.exe 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2128 2776 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GOPlayer.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral1/files/0x0005000000019d5c-25.dat nsis_installer_2 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2776 2668 663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe 30 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31 PID 2776 wrote to memory of 2128 2776 GOPlayer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\GOPlayer.exeC:\Users\Admin\AppData\Local\Temp\GOPlayer.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 4883⤵
- Loads dropped DLL
- Program crash
PID:2128
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD50d024fee646aea779047754218882343
SHA153521fbbb1daffe37cd9bd7cc7b58b31ba4e59e0
SHA2560cab776450fab0f726931ae50dceffda054e134b347a9abe02f85e7269b3d77e
SHA512dff02e82f8c2da000be605e94be126edbd6bc72f1cda7a76a625015b82880df28401a1e283f4ad55eda4c5be19667427502ddd004ba979b9f3d8c4c1f56ff511
-
Filesize
66KB
MD5bff0fdb86add7fcf61bd450da04a9a83
SHA19d564865bf2f054eba4d5d6c2c5f23c179666ca6
SHA256f46a2ee6c8d71d8fb4b4d11c0ffa95276fb0185bbcfbf2875c71ac6b647ff213
SHA512deca12d4026de2129897486b67700150f8525bdeb7db2cc756c99b2f2233c75a2d4043de575b2940ece8a98c2881a46de89d19279f585981b202a7bd307be0b8
-
Filesize
9KB
MD50a58a89b32428fb848099f33e814e3ed
SHA1661b73c3ff3579eb9d0c482af7354ee0461634a9
SHA256aba4f462067f8c872d84c4c1ad6eaccf8bb6546c67c011964f8d2b62170f8236
SHA5121f4efa7183670f9e9bcf1be56b3165393a97da29080bf1353358933f0f2e0544706982059a9408639782163f4f05bc9d38fca9be110f7d3058f2b0e0017e8dc5