Analysis

  • max time kernel
    140s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03/04/2024, 19:02

General

  • Target

    a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    a414244ecb89d5bdc1a0ece12bb2c2a9

  • SHA1

    fb2c07209b248f612f48a898f449da88b2624fd9

  • SHA256

    59822012b04406a3df0f5893619e6129398134fc922d53ff1f1c9a6daf803f5b

  • SHA512

    f0468ac67445f92a55d1f1511a169f8cada6235209dea67b133c9010201f220d4165e16d8bc50a5385f098d8733bac3ea91f4f270ea605e5768d20e40cc927e9

  • SSDEEP

    24576:8uPmLDUMihIXCE5y8FyDgy7dml+i2rYNapO:8u+LIIX7Y8t+iiYN2O

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 20 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2384
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Users\Public\Microsoft Build\Isass.exe
          "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2256
            • C:\Users\Public\Microsoft Build\Isass.exe
              "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                7⤵
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Users\Public\Microsoft Build\Isass.exe
                  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2624
                  • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                    "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                    9⤵
                    • Loads dropped DLL
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:2476
                    • C:\Users\Public\Microsoft Build\Isass.exe
                      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                      10⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:2532
                      • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                        "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                        11⤵
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:2908
                        • C:\Users\Public\Microsoft Build\Isass.exe
                          "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                          12⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:1108
                          • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                            "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                            13⤵
                            • Loads dropped DLL
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:2268
                            • C:\Users\Public\Microsoft Build\Isass.exe
                              "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                              14⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:2716
                              • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                                "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                                15⤵
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                PID:1988
                                • C:\Users\Public\Microsoft Build\Isass.exe
                                  "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:308
                                  • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                                    "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                                    17⤵
                                    • Loads dropped DLL
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1584
                                    • C:\Users\Public\Microsoft Build\Isass.exe
                                      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1824
                                      • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe
                                        "C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2124

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\a414244ecb89d5bdc1a0ece12bb2c2a9_JaffaCakes118.exe

          Filesize

          452KB

          MD5

          276c1b7f46b8488344e85387c9ce6e80

          SHA1

          2901f43aa439f48baf786018696546e580ba9880

          SHA256

          608c5265075bacf05353a4d816fe815ec1ba2e95bb88313d5cf38655274841be

          SHA512

          5e02be9cfd27c3de2e17618958c5b82b38ef402ca59c260a1c93e2b0ac30871be29f43b3f160c8adb9c56061f5138db33a07e172c7c445c62fe0cd78f5fd1c8f

        • C:\Users\Public\Microsoft Build\Isass.exe

          Filesize

          624KB

          MD5

          dedd8708721873baf3d803c3554dc7dd

          SHA1

          070047ee6b6fe52be226009c817370f6e69f9d31

          SHA256

          529b1a8217a932c507302ad85cd050d294316c7155122026ea11ef0233397685

          SHA512

          913bac5400e1fcdff288521a1832330566d2c136e899f4a60874509dd0837d09b3b474af57da951fd50f1a8abdad2edfd0a463827b4f1b7dbbfd5a9cf7d3fd92

        • memory/308-63-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/308-62-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/1108-50-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/1108-51-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/1584-66-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/1584-64-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/1720-14-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/1720-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/1824-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/1824-75-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/1988-61-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/1988-58-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

        • memory/2192-16-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2192-15-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2256-24-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

        • memory/2256-28-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2268-52-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2268-54-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-76-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-97-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-138-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-126-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-125-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-114-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-113-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-104-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-103-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-96-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-88-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-87-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-80-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-79-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2384-9-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2476-42-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2476-38-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2480-31-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2480-34-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2532-43-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2532-44-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2608-17-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2608-20-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2620-29-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/2620-30-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2624-36-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2624-37-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2672-23-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2672-22-0x00000000003F0000-0x00000000003F1000-memory.dmp

          Filesize

          4KB

        • memory/2716-56-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB

        • memory/2716-57-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2908-48-0x0000000000400000-0x00000000016A3000-memory.dmp

          Filesize

          18.6MB

        • memory/2908-45-0x00000000003B0000-0x00000000003B1000-memory.dmp

          Filesize

          4KB