Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 05:21

General

  • Target

    dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe

  • Size

    76KB

  • MD5

    dc3b465454af3811a5b1a6323e03c96f

  • SHA1

    37b52ed6f54638dccf3b25cf111d248107aff408

  • SHA256

    68d0913a23e38aee84a3b9176595b8fc6f85bfd7497a95a1d23b9ba9c70cad94

  • SHA512

    e3e7383f0e5f509f354d7e4d5ae1d89c7337b72dcb4fc5e5058b454c576757f30daf80f383cfcf0c44136bf21782c78702dc868bbfac222a0256453dd8ac5a2a

  • SSDEEP

    1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitl8PW6/4:qKtfDwsjPThTYszDH2fDyB/4

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a25B9.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:2408
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3012

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\$$a25B9.bat

            Filesize

            614B

            MD5

            2b6cc3eaa5eed75e67b8b36cd3652a5e

            SHA1

            2495fff8fc9321f42426844d48de0348d58f0f08

            SHA256

            0c7e29512b82a0a1b6955d31a2170b5bf0bf69b6f24b71291815ceb97a79082c

            SHA512

            fda6de2dabb4a0a725609913aea489968a840bc2b8395416abab42fb03612b433ceeaa6c73fa0bf46cec5a6530cd09a11133928d3d8a163d8d73715dca712e61

          • C:\Users\Admin\AppData\Local\Temp\dc3b465454af3811a5b1a6323e03c96f_JaffaCakes118.exe.exe

            Filesize

            18KB

            MD5

            77727b915db20a529be45b065bcd1e06

            SHA1

            ed010c2b80fd73413ae996d379004c4d996325b9

            SHA256

            d41f7aad49c106e1a8bc19ecc5eb938679ddcc7f7df082714d8f95eb0f2a2387

            SHA512

            845f1506474f3b604d3f6eaf955da5840741e64f281e16033b599029c375360770b32c6071582450a329724ad731388a797e5cd81d742dfd3004f5ee9918a80f

          • C:\Windows\Logo1_.exe

            Filesize

            58KB

            MD5

            95171e6dfb058af81fa91c507acef887

            SHA1

            251de8a3bad783a43e48e44c6d45b28253ff9bfb

            SHA256

            0986d881f40f22dd7897b8f7a8a8a836d6867952a665460e6c240bda4c69cb8e

            SHA512

            e8fa72fd4f54527da630847f3944321180fa1759e1f432c08dc047486768373f7ebb8b526afdd9307809d706b1c2b1dc635ebe74ab8afc769159de2b7d63c19c

          • memory/1196-20-0x0000000002570000-0x0000000002571000-memory.dmp

            Filesize

            4KB

          • memory/2408-80-0x0000000000E20000-0x0000000000E26000-memory.dmp

            Filesize

            24KB

          • memory/2408-176-0x0000000000E20000-0x0000000000E26000-memory.dmp

            Filesize

            24KB

          • memory/2792-13-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB

          • memory/3012-245-0x0000000000400000-0x0000000000422000-memory.dmp

            Filesize

            136KB