Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
b97280557bb93a7c0dccaa1e3f110200
-
SHA1
1af745e0135d22a69cb29a4f2bd609277887dc8c
-
SHA256
df3b58ca2c9732eca60f37a13eef1d6f2b6c8fc0e33b3aafd26d535bca9ceff6
-
SHA512
8121adca35a58904f00702a61294712145136269dc06eb2dff05efff2901de984f657fc4c3d12e98b2c0fd269e51b0d1384d5360f4956a777fb2d11f25d18907
-
SSDEEP
49152:EpQN2wy6vNZNPriyrOO53RTqtiq0g7mM+M6RkMkIM7I0676:D3ziyrOO53HM+M6RkMkIM7
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\javac.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\dotnet.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3540 b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b97280557bb93a7c0dccaa1e3f110200
SHA11af745e0135d22a69cb29a4f2bd609277887dc8c
SHA256df3b58ca2c9732eca60f37a13eef1d6f2b6c8fc0e33b3aafd26d535bca9ceff6
SHA5128121adca35a58904f00702a61294712145136269dc06eb2dff05efff2901de984f657fc4c3d12e98b2c0fd269e51b0d1384d5360f4956a777fb2d11f25d18907