Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 21:56
Static task
static1
Behavioral task
behavioral1
Sample
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
111e78d8cc3e0772ade0782b8365d435
-
SHA1
c53a394e097c1a7a1fb8d8e53ad850c7f3c0c257
-
SHA256
e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27
-
SHA512
64631e4d2e882b48d168cbbcbaf7b90a3dafaa5d2c65cdb5cd6dff16eb005c2ffcede50e7194b0c512d59747e0093c1c2f8de24f64ced0e2cd2011631c0e818a
-
SSDEEP
12288:0m5iyVP35aWloeBd4gQOBikixnkBkMXuXrY2eXNPnrEdrE:n5iyBF1BxkkiNkBkM+XrYxXN/odo
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
budgetn.shop - Port:
587 - Username:
[email protected] - Password:
eC~Z,TG&S9jM - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2712-6-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation dfxzdg.exe -
Executes dropped EXE 2 IoCs
Processes:
dfxzdg.exedfxzdg.exepid process 2532 dfxzdg.exe 4792 dfxzdg.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 freegeoip.app 52 checkip.dyndns.org 54 freegeoip.app 13 checkip.dyndns.org 15 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exedescription pid process target process PID 384 set thread context of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 2532 set thread context of 4792 2532 dfxzdg.exe dfxzdg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3692 2712 WerFault.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 2100 4792 WerFault.exe dfxzdg.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 212 schtasks.exe 2136 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exepid process 2712 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 4792 dfxzdg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exedfxzdg.exedfxzdg.exedescription pid process Token: SeDebugPrivilege 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe Token: SeDebugPrivilege 2712 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe Token: SeDebugPrivilege 2532 dfxzdg.exe Token: SeDebugPrivilege 4792 dfxzdg.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.execmd.exedfxzdg.execmd.exedescription pid process target process PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 2712 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe PID 384 wrote to memory of 1692 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe cmd.exe PID 384 wrote to memory of 1692 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe cmd.exe PID 384 wrote to memory of 1692 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe cmd.exe PID 384 wrote to memory of 1816 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe cmd.exe PID 384 wrote to memory of 1816 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe cmd.exe PID 384 wrote to memory of 1816 384 111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe cmd.exe PID 1692 wrote to memory of 2136 1692 cmd.exe schtasks.exe PID 1692 wrote to memory of 2136 1692 cmd.exe schtasks.exe PID 1692 wrote to memory of 2136 1692 cmd.exe schtasks.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 4792 2532 dfxzdg.exe dfxzdg.exe PID 2532 wrote to memory of 3480 2532 dfxzdg.exe cmd.exe PID 2532 wrote to memory of 3480 2532 dfxzdg.exe cmd.exe PID 2532 wrote to memory of 3480 2532 dfxzdg.exe cmd.exe PID 2532 wrote to memory of 2208 2532 dfxzdg.exe cmd.exe PID 2532 wrote to memory of 2208 2532 dfxzdg.exe cmd.exe PID 2532 wrote to memory of 2208 2532 dfxzdg.exe cmd.exe PID 3480 wrote to memory of 212 3480 cmd.exe schtasks.exe PID 3480 wrote to memory of 212 3480 cmd.exe schtasks.exe PID 3480 wrote to memory of 212 3480 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 18163⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\111e78d8cc3e0772ade0782b8365d435_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2712 -ip 27121⤵
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeC:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 18123⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4792 -ip 47921⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exeFilesize
2.2MB
MD5111e78d8cc3e0772ade0782b8365d435
SHA1c53a394e097c1a7a1fb8d8e53ad850c7f3c0c257
SHA256e24e32d3cbe89de6119e8d181205aebd073055e2d4b8c873954213553b639b27
SHA51264631e4d2e882b48d168cbbcbaf7b90a3dafaa5d2c65cdb5cd6dff16eb005c2ffcede50e7194b0c512d59747e0093c1c2f8de24f64ced0e2cd2011631c0e818a
-
memory/384-13-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/384-1-0x0000000000050000-0x000000000028A000-memory.dmpFilesize
2.2MB
-
memory/384-2-0x0000000005370000-0x0000000005914000-memory.dmpFilesize
5.6MB
-
memory/384-3-0x0000000004DC0000-0x0000000004E52000-memory.dmpFilesize
584KB
-
memory/384-4-0x0000000004DB0000-0x0000000004DC0000-memory.dmpFilesize
64KB
-
memory/384-5-0x0000000004D60000-0x0000000004D6A000-memory.dmpFilesize
40KB
-
memory/384-0-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/384-14-0x0000000004DB0000-0x0000000004DC0000-memory.dmpFilesize
64KB
-
memory/2532-18-0x0000000000550000-0x000000000078A000-memory.dmpFilesize
2.2MB
-
memory/2532-17-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/2532-19-0x0000000002F60000-0x0000000002F70000-memory.dmpFilesize
64KB
-
memory/2532-25-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/2532-26-0x0000000002F60000-0x0000000002F70000-memory.dmpFilesize
64KB
-
memory/2712-12-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/2712-9-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2712-7-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/2712-8-0x0000000005600000-0x000000000569C000-memory.dmpFilesize
624KB
-
memory/2712-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4792-22-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB
-
memory/4792-23-0x00000000058D0000-0x00000000058E0000-memory.dmpFilesize
64KB
-
memory/4792-24-0x0000000074400000-0x0000000074BB0000-memory.dmpFilesize
7.7MB