Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 18:46
Static task
static1
Behavioral task
behavioral1
Sample
a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe
Resource
win10v2004-20240319-en
General
-
Target
a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe
-
Size
64KB
-
MD5
a3b1446fd4500f7460180df5cb6f11b6
-
SHA1
1844eda1ba9e31a1a7b240b6b57953780aa3f182
-
SHA256
0af60ba74492baa301258fb783bdd28b2b9b0594985f0eefd2aea353082bd18c
-
SHA512
8bcd1d4e6a9e425d83f42e251b6cd9a84548dbf6b9d3a7e52890c6bb6c9d69482b0d39f79041b6beaffc1656b90043e4478a6923bd7726863b66c3dd457d3c3a
-
SSDEEP
1536:BAayJc/J4gaLMtIlYPnQR8P5UTfl1fMO7WHNfWUX:BAayE40IqB5ULl1fMO7WFWUX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2392 outlook.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\outlook.cfg outlook.exe File created C:\Windows\crc32.cfg outlook.exe File created C:\Windows\sys32.exe a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe File created C:\Windows\outlook.exe a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe File opened for modification C:\Windows\outlook.exe a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe File opened for modification C:\Windows\sys32.exe a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2324 2392 WerFault.exe 94 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2392 4908 a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe 94 PID 4908 wrote to memory of 2392 4908 a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe 94 PID 4908 wrote to memory of 2392 4908 a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3b1446fd4500f7460180df5cb6f11b6_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\outlook.exeC:\Windows\outlook.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 396643⤵
- Program crash
PID:2324
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2392 -ip 23921⤵PID:4692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4016 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:81⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5323c82a0a7326e718a9460e82310a00f
SHA1780c63b2928ef6c56890298b79a37ac06edc6a20
SHA25695ec3e379a36e5062ec46a2c40a30a3fbd952f3083d041502e75cb2e5147921f
SHA512fa2381d7f26b9e46b350ef8719a2c9a8e8965eab7d509d514cca6b3842606e51814537dee8cfea0d63ff6af9aca6343e75a6ef59d9d2f2b509e36fa068a15631
-
Filesize
356B
MD51b791a9deb6baa82865c97051064d29b
SHA10b8158c8fba3bff48214109c05a83fb0441ec14c
SHA2566b41b33f76fe9ca2e5d9c25b5da32dc66eac89eceb46f227f6794db400fe40bc
SHA5125dc78f4107602291018baf427e54b7d18a9fc0f7d577ccf828e17ca791b15f1c2440a7b32505abae829caeb1e8730880a5f3209ac97c8d1bdbe38deaa643b04f
-
Filesize
736B
MD5c82022d76bfb8965c1b3b3cf9ccd68a4
SHA1948c73c98c4a0d8ce550ed595c499f4dc91a68a4
SHA25689f4b501f7f9ca8d9ed2c2ce8beb31cf95a0ba0a8fdcce98146b433832f042e1
SHA512596e85a7cb62f8feccdd9423eadbdf79d9077eb5a7fec8837bc44339b739c86636ce431720519f8ca3e0fd95b4325ff0d8394eea90a30f79a7a862dfcf8f313c
-
Filesize
1KB
MD502096ea090aecdb16b13da71c8eb1198
SHA1260a658884cd0c1fe0d01b8b0913655535489561
SHA2568de50c81774b01171d15f54bcde216d9fe78861cf5697fc73b10307dd6b72d17
SHA512b4cbe17d740cf47542d82c273faedb9339d4d2e404779320ea2a62e838237353610a19509f48179ff97505ffc45b0fd5ce4b17d3b6888de949b0aa3eb0e0c28e
-
Filesize
1KB
MD5ab335f7c69727d9028e4c5c3c5960489
SHA186ed5a6ab4816538bf29c16b964530f778421bc1
SHA2566285c41eeb4ba18be803af2f800ee74963a304e717a55a50147d80568c4db58d
SHA512f2ddc3e06f2409d1e1f1e96328c09e7b0f1efd858f0a1b891e9aafae322f565a4239c3f32db5f9f17d0e5c33098af0bdea3ba0968ffd0d62b47ef90177990e40
-
Filesize
49KB
MD50e9379e357aba95f8b9883af9b67675e
SHA1280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA25696b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA5126cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784