Overview
overview
8Static
static
3663b10f67e...18.exe
windows7-x64
7663b10f67e...18.exe
windows10-2004-x64
8$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$TEMP/GOPlayer.exe
windows7-x64
7$TEMP/GOPlayer.exe
windows10-2004-x64
8Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 09:02
Static task
static1
Behavioral task
behavioral1
Sample
663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
663b10f67ea3b87b9a8915288b24fa62_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/GOPlayer.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$TEMP/GOPlayer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Uninstall.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Uninstall.exe
Resource
win10v2004-20241007-en
General
-
Target
Uninstall.exe
-
Size
66KB
-
MD5
bff0fdb86add7fcf61bd450da04a9a83
-
SHA1
9d564865bf2f054eba4d5d6c2c5f23c179666ca6
-
SHA256
f46a2ee6c8d71d8fb4b4d11c0ffa95276fb0185bbcfbf2875c71ac6b647ff213
-
SHA512
deca12d4026de2129897486b67700150f8525bdeb7db2cc756c99b2f2233c75a2d4043de575b2940ece8a98c2881a46de89d19279f585981b202a7bd307be0b8
-
SSDEEP
1536:97ANUHtHV6AWzwfFJUPfT4t3kUYp+djPw6R9TokE9:9TvfTzcTsw6Rqz
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4972 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 4972 Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 1 IoCs
resource yara_rule behavioral8/files/0x0007000000023cb7-4.dat nsis_installer_2 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1840 wrote to memory of 4972 1840 Uninstall.exe 84 PID 1840 wrote to memory of 4972 1840 Uninstall.exe 84 PID 1840 wrote to memory of 4972 1840 Uninstall.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4972
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5bff0fdb86add7fcf61bd450da04a9a83
SHA19d564865bf2f054eba4d5d6c2c5f23c179666ca6
SHA256f46a2ee6c8d71d8fb4b4d11c0ffa95276fb0185bbcfbf2875c71ac6b647ff213
SHA512deca12d4026de2129897486b67700150f8525bdeb7db2cc756c99b2f2233c75a2d4043de575b2940ece8a98c2881a46de89d19279f585981b202a7bd307be0b8