Overview

overview

7

Static

static

3

d5b1f4e230...18.exe

windows7-x64

7

d5b1f4e230...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2024 13:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5b1f4e23072e2544743dc64ab33c304_JaffaCakes118.exe

  • Size

    250KB

  • MD5

    d5b1f4e23072e2544743dc64ab33c304

  • SHA1

    beac8bc4749f468abe100891bef58e77937e6770

  • SHA256

    84ae8fb70597b294f97dc4bb4413cfaafbfefb740950e2f6a52d7b8bed897913

  • SHA512

    e21aa34168270ffbcc5ff0d14395ef58239b45beddd0010044349d7c6e7d6591af5bee0cd4d6b7f3ad9ada214133ba78dc67fa848533d77bd8f790fbb2e82152

  • SSDEEP

    6144:BtfDwsjPThT5zL2780N2vAE+Zmmt0fSoD76GopfGh4U7:B5hVc80N2Ymmt0LDXoNQ

Score
7/10
spywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\d5b1f4e23072e2544743dc64ab33c304_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d5b1f4e23072e2544743dc64ab33c304_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a11AD.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Users\Admin\AppData\Local\Temp\d5b1f4e23072e2544743dc64ab33c304_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\d5b1f4e23072e2544743dc64ab33c304_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:2676
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\$$a11AD.bat
      Filesize

      614B

      MD5

      efb7e21942444a5493791a96223d95a8

      SHA1

      c1688f7da48b884ac344f65f7611c216b7683fed

      SHA256

      b34ae46119e46693c43812541191b67d599162a16f8029e8bd083312e2778917

      SHA512

      bccb31ef43881f4d3f6a9b728a33e472875dcab5aa93cfaa946a08029ec303dea11b4b4dee48a50fd6753d95b0a0e1f7fa56c19995b88fbc5f10153e56a30d1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\d5b1f4e23072e2544743dc64ab33c304_JaffaCakes118.exe.exe
      Filesize

      191KB

      MD5

      1650874a0337b8776e5f92791f26c709

      SHA1

      a536423256becc7fa873a5af70ad0ac6f053312d

      SHA256

      2b8f77719ff7528fc7147d381d98f0171390b94b85f84f9b4483e9322f140726

      SHA512

      05e76d7d107e7b8d1c9ee6f68f824a0c04a6658e994aa44f86d08aba38e641bba06dfc3668160d0f55625f784e263fe3010231f0a0c76d637b378622662147db

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      58KB

      MD5

      900ef496519cb93a3f999271aaa82b9c

      SHA1

      0796f29248d0c314cb35a374df833ac2d3516750

      SHA256

      65f5ab8d24cce61bbee3c3629a2a4c0ffe6e936d2e37c2a6290f9eaa484fe6d9

      SHA512

      9054049dd534c712d37634e5c0eca3474fd3acf6592ea8fb92403436cd18078fab2f0fedb6bdcbf82b95c586868fddfc6c0b9dba251caa129d6c0ba8958acace

      Download Submit

    • memory/1208-18-0x0000000002F10000-0x0000000002F11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1304-13-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2000-241-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download