82cd40a855003c031c7e97841eb1342ab40006a1c3ebfcb904a4a4e422e7e57e

Analysis

max time kernel
90s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 03:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe
Size

64KB
MD5

c8f6675ff1e17c474bfb6306bd911b9a
SHA1

1af4861dd639ac17eafb5649df815aa1f4ac853e
SHA256

82cd40a855003c031c7e97841eb1342ab40006a1c3ebfcb904a4a4e422e7e57e
SHA512

9b3096dda3f10ac63e70f9de5f9d5383779b3de9adb4779d5ed2fa716a8e9031fc7548a911590af070acd20d2741b9345174db28a0e85d8381dfc4ec66175290
SSDEEP

1536:hYXVBNDA/6An6qL2vxaddF0GEW6RMZ52WOHKOdLn:gQqvSOGEjaiWCK4

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3840	outlook.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe"	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\crc32.cfg	outlook.exe
File created	C:\Windows\sys32.exe	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe
File created	C:\Windows\outlook.exe	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe
File opened for modification	C:\Windows\outlook.exe	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe
File opened for modification	C:\Windows\sys32.exe	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe
File opened for modification	C:\Windows\outlook.cfg	outlook.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4524	3840	WerFault.exe	87

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3840	1976	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe	87
PID 1976 wrote to memory of 3840	1976	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe	87
PID 1976 wrote to memory of 3840	1976	c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8f6675ff1e17c474bfb6306bd911b9a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\outlook.exe
  C:\Windows\outlook.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 29840
    3⤵
    - Program crash
    PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3840 -ip 3840
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\outlook.cfg

Filesize
737B

MD5
ff22b251e759ca8ca380781e4897fc0a

SHA1
23ae118ee6f9d299e8a6d3dea8c711245a9e7a91

SHA256
fb19ea8c94938842730eadf0a95c744ed1f7b22be53bf4c21507004333425c5c

SHA512
7ba52429bab54b7f51dfb01e4bfa354bb39a2b7eacfd24550747d9cb416b5e6360710714ee5d5536c929e170e4ad29e6a97b232de18cd3d814117f1df7059158

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
f5015a4b679809b1fcb3519da51fea71

SHA1
dfeaa52208110e0c562525e20a062690b8a9738b

SHA256
013a540b295672907d27a2e71f43027cb0cdbfb767c7445fac75294687a5427b

SHA512
a1aa7666aaf708180fa536121f86d993179a09a5e018af052d404e4da5952438bbb54bef15f7583a28d60684a6bc7b792ae3dcd9a70bc6f0201f07be948e970d

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
7eedd08ae4bb030faae3650130328321

SHA1
3257c3d2e018dd23434b48e3c0767b3e179e25ff

SHA256
139ffc13f5821ce54b8df2d099e279ebeca14ab73c4ce2438082319645067bc6

SHA512
2ca7fab65db2486275c680a6af6e450b6b084a558ba048c6d0966846fc14e6a1878613034474991130bc74ae0d41eea3b5cbf4aecb2a278739a5971d513d6117

Download Submit
C:\Windows\outlook.cfg

Filesize
1KB

MD5
111ef29dd7731f783903af4a619fab69

SHA1
b6c59b6b8f4d47177403d86393da127e1fc70d82

SHA256
06d170c9ae63828f22e044651cfa798be2bebbd3c797ba1db6f7534a3d305fa7

SHA512
a361b2a6524150086ed29ed394299261cc744ce72df5eb148e7539c9231b07580ab9284758a22628d9d2b096f4c33a3bd389299231748c0199932585a610cb62

Download Submit
C:\Windows\outlook.exe

Filesize
49KB

MD5
0e9379e357aba95f8b9883af9b67675e

SHA1
280a174a414e5b8588f42b6328af2c8c8ff4394f

SHA256
96b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28

SHA512
6cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784

Download Submit
memory/1976-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1976-8-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3840-81-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3840-103-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/3840-119-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads