Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 13:23

General

  • Target

    b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe

  • Size

    1.9MB

  • MD5

    b97280557bb93a7c0dccaa1e3f110200

  • SHA1

    1af745e0135d22a69cb29a4f2bd609277887dc8c

  • SHA256

    df3b58ca2c9732eca60f37a13eef1d6f2b6c8fc0e33b3aafd26d535bca9ceff6

  • SHA512

    8121adca35a58904f00702a61294712145136269dc06eb2dff05efff2901de984f657fc4c3d12e98b2c0fd269e51b0d1384d5360f4956a777fb2d11f25d18907

  • SSDEEP

    49152:EpQN2wy6vNZNPriyrOO53RTqtiq0g7mM+M6RkMkIM7I0676:D3ziyrOO53HM+M6RkMkIM7

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    PID:3540

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\905c0769f9a06c95a24ddf945\patcher.exe$

          Filesize

          1.9MB

          MD5

          b97280557bb93a7c0dccaa1e3f110200

          SHA1

          1af745e0135d22a69cb29a4f2bd609277887dc8c

          SHA256

          df3b58ca2c9732eca60f37a13eef1d6f2b6c8fc0e33b3aafd26d535bca9ceff6

          SHA512

          8121adca35a58904f00702a61294712145136269dc06eb2dff05efff2901de984f657fc4c3d12e98b2c0fd269e51b0d1384d5360f4956a777fb2d11f25d18907

        • memory/3540-0-0x0000000000400000-0x000000000040D000-memory.dmp

          Filesize

          52KB