Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe
-
Size
128KB
-
MD5
a4b5c85d53120079a9bb9e54b1ff8a9b
-
SHA1
ab24b7b9aa8b7d2a033f11e06b03d12a8a0dc9e6
-
SHA256
e0653dc038521d02b48f6e69f3b62836d87eb4b4305e6a5f4540ad72b7cb5103
-
SHA512
6ed9e3b01388081cd78efae44347bc67d566f9e7b5571d9c0bc616dcec836c066a3c00fa2470d9bb80c991953f16f12888eb1ea42d680bf46a3677b6b29d2643
-
SSDEEP
3072:D6Oc3xxNSDrf8jV09T5oTrREqu6QlOiVBav09T5o:D6Oc3xzSI69dofRTCOinaM9do
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2084 outlook.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\outlook.exe a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe File opened for modification C:\Windows\sys32.exe a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe File opened for modification C:\Windows\outlook.cfg outlook.exe File created C:\Windows\sys32.exe a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe File created C:\Windows\outlook.exe a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28 PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28 PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28 PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28 PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28 PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28 PID 2032 wrote to memory of 2084 2032 a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a4b5c85d53120079a9bb9e54b1ff8a9b_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\outlook.exeC:\Windows\outlook.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD526afbe0465cd2bd92812d6d0e7e54412
SHA18de1830535c8ccc7748268587f5de15e52c38b94
SHA256301fb91df2be29d5e77d085c6a016b83b735a06a019d4229474328b7461a8e0c
SHA512703bcd559d1f02d6c3fb696111811baff843d2809e56ff481d19405f9fb71fc3a42a597717921a9c177dd0899b15f51296d029e75fa3001b3ce307f17509d761
-
Filesize
614B
MD5b191c4fdf8d4fe2d5878a30754abcb5d
SHA10e25396f2f77453d8380ea2f11c01a7d77c45915
SHA2562191d0304ea522767d36df2ec3d6cb3ed1ebf78b2ead2e5d963179ff995105a0
SHA51285f1335284257318336de11e7590af2d05f596bbe67ebbcad907d556259dee0a5ebf5b86a98d299f0678b3bf087f672ad9bce986786a3eeeec829bc5ce2a7146
-
Filesize
49KB
MD50e9379e357aba95f8b9883af9b67675e
SHA1280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA25696b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA5126cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784