Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe
-
Size
520KB
-
MD5
e55eea88697151e211ff353fad78c9c6
-
SHA1
0cc9b41473fe9b2759719607da2e1d996e2b56fc
-
SHA256
8e6c49b05813f0887f6efef38a0088ee56b701638b59c5d05803a5e77041ead8
-
SHA512
e66212c93d0fec9da84da449a9fe8125c2e89b8740b7a192ea5756514f921f32f48262a167c1a810026b847a75ee6a1a2de436754d097b95befaefbfc63df0ee
-
SSDEEP
12288:V7I0hG0r6B/A03m6SEKL6pieVYdSOYb2e9Rd0x4Q+e:VM0I02/DS6BFjmSe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lshss.exepid Process 2996 lshss.exe -
Loads dropped DLL 2 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exepid Process 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exedescription pid Process procid_target PID 2880 set thread context of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exepid Process 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.execsc.exedescription pid Process procid_target PID 2880 wrote to memory of 2988 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 28 PID 2880 wrote to memory of 2988 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 28 PID 2880 wrote to memory of 2988 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 28 PID 2880 wrote to memory of 2988 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 28 PID 2988 wrote to memory of 3032 2988 csc.exe 30 PID 2988 wrote to memory of 3032 2988 csc.exe 30 PID 2988 wrote to memory of 3032 2988 csc.exe 30 PID 2988 wrote to memory of 3032 2988 csc.exe 30 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31 PID 2880 wrote to memory of 2996 2880 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rsae4a7c.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA4.tmp"3⤵PID:3032
-
-
-
C:\Users\Admin\AppData\Roaming\lshss.exeC:\Users\Admin\AppData\Roaming\lshss.exe2⤵
- Executes dropped EXE
PID:2996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e2b5062872991a3773016ffba6c3eedf
SHA1b328fcc03aa0a03fd2791b8dd2cf1f349df281a1
SHA25674f17feb3bd1ec2f57c50dbb67436351c91f55a379fceb30a8f3eaddfc709521
SHA512800822a3eec478c7b2787aa4591529a457300ed66d74be0985dad0f653f6a6f3ba703a0595c697181712304c24c1368de8cddcc55e1dc1afa8472fbba85732ac
-
Filesize
5KB
MD5cda3ee1d78971975bac1f859868ef6f0
SHA1e0e7e56a8e6d87d5e090a8288f6bda53f81d90e4
SHA25673ce157804d85d457cc8519a23c4c47390456a349809e523768e2ffbb7c50f97
SHA512ae55a00d683c9e2189d0ed2532b2e02a6e5e7ea9dee9ce1ed7d5dabe2dbee59c22bee2dbda66f5cbfa874f799fd9c6597bf647506a99bc6d11a562dc5619cee3
-
Filesize
652B
MD573840ab6dfe2e2e2ddad556b38f495e3
SHA1fc4fb5ed3ce6cd98dc65ab51802da3b342cd4fde
SHA256daa318ed5cc62ab952a666577ff130ae672b823be21759d32f707008d3d4dd1d
SHA51265df3ada9cfbd7709442777f33dfe1d83944f0efb3201f5a4fe96cd9f30616bab0b275af8300f96fe3314d0a65bc7192f9a312cb2ca11d5c9d176faed535196f
-
Filesize
4KB
MD5b63430207638c1a36b9b27002e0da3da
SHA154356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA51229ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737
-
Filesize
206B
MD5811dea3fe6080d0741bbcb85e4cce04c
SHA1b1b83a8bae64bad44515202637b0a31eeb3d8039
SHA256f48e817dcce75e1bfa667a7509ff3f082c930bd2141b3de45157b5f2f0ce6135
SHA512f20a13bc644a300f3cfe3bda46941cda9646635edb001f4f05e9f2fa197a1663175991bdf52c05374093d4a0810cc334021bae87c2b97eca4e765a4fc0b88946
-
Filesize
16KB
MD513d0d61085689f96c51116d270aa3b2e
SHA1dcc67b7aa625cb1ab1ce95e162c8c47dd5339b9e
SHA256cfac93f70813676cce818d22437ef49fc03ad669be219f5f8e9b36058d05712b
SHA512ee443a16dff0f46b9ba448075bdbe6110568989e9b39eff30fa3e7e5f200a816f4e20df49fddb588afbd3c7bf3a277ccadc744015af34a2e5bf8c4cc08e5dbd1