fa3f5e54c66327bbf0b3e79b96fd69109420e8f59825aeb5a3f17878f6ab971f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe
Size

3.6MB
MD5

a82d67ed1f13d439b29f3269908b934f
SHA1

5df6e4577a44b8d6e8159d20b34b1fd0703f0750
SHA256

fa3f5e54c66327bbf0b3e79b96fd69109420e8f59825aeb5a3f17878f6ab971f
SHA512

55bedc18f14fdedfffb710f3cedff26f0e5dfad87722342d8f6821f9897cd67b2114c4e15d12de8170830bd1c5f45c2a2af810fce52e80b849ed422518d7b366
SSDEEP

98304:H4kfVh2oD6Lbnn82ZaRCCWvl8p9dHeH0XdPJqQwJXyO:H4en63nnrC4SeYxK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	ccsetup226.exe

Loads dropped DLL 5 IoCs

pid	Process
2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe
2672	ccsetup226.exe
2672	ccsetup226.exe
2672	ccsetup226.exe
2672	ccsetup226.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccsetup226.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016f02-4.dat	nsis_installer_1
behavioral1/files/0x0008000000016f02-4.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	ccsetup226.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2672	2280	a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a82d67ed1f13d439b29f3269908b934f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\ccsetup226.exe
  "C:\Users\Admin\AppData\Local\Temp\ccsetup226.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjE581.tmp\ioFileY.ini

Filesize
920B

MD5
4c22bbe7f586c8d4fbca360034025ff5

SHA1
8931b50e223213cd9a88b8f15ec5f53f5a130c3d

SHA256
e98c2a13e6d77dd54f008cb998902fb41810bb28c9f434e14278bf35f6292d5d

SHA512
34edc3e0b88cc7a302975d010d779b6936520b1beece5e194d8cc4dcb99e98eea2c7ace97bc1cf57b51fc098fb20d326a138fc4955ae41a2d1e82bca9b3ef9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjE581.tmp\ioSpecial.ini

Filesize
696B

MD5
0963104da1a4e374dfb7c756402eb7f2

SHA1
baf9cc78d73f296618aa960d30912119e9214841

SHA256
13b2f6de9a085a1fbe65bb7f6bb47e07f61f7d376c58dabaed7e362657139543

SHA512
1914b7b1eb446d47c9d839fc84219f4eaba7faae6d4fd4bea1ef4f1705e486070006b32f04a00e0bd878b42c5606b3bb6102f17da61a18cf2f745cd6c564357e

Download Submit
\Users\Admin\AppData\Local\Temp\ccsetup226.exe

Filesize
3.2MB

MD5
d3f8f4b1fd52f34349521f2275555927

SHA1
dc51386d4b48cac7d866653776905594000ceaee

SHA256
4bf58bc8ffd4c4ea3b36aa4cadf6b99b389009bd9497064037ee3d1f9191e430

SHA512
3904d564d432d88864d3f06750006e4bcc248918eda976182192794e39d07d9f7a144961cc705c16e5eabda30db06dcff10585331d4986f9a88884d3fd7571ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE581.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE581.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit