Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 16:35
Static task
static1
Behavioral task
behavioral1
Sample
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe
-
Size
520KB
-
MD5
e55eea88697151e211ff353fad78c9c6
-
SHA1
0cc9b41473fe9b2759719607da2e1d996e2b56fc
-
SHA256
8e6c49b05813f0887f6efef38a0088ee56b701638b59c5d05803a5e77041ead8
-
SHA512
e66212c93d0fec9da84da449a9fe8125c2e89b8740b7a192ea5756514f921f32f48262a167c1a810026b847a75ee6a1a2de436754d097b95befaefbfc63df0ee
-
SSDEEP
12288:V7I0hG0r6B/A03m6SEKL6pieVYdSOYb2e9Rd0x4Q+e:VM0I02/DS6BFjmSe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lshss.exepid Process 5076 lshss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exedescription pid Process procid_target PID 1732 set thread context of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exepid Process 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
e55eea88697151e211ff353fad78c9c6_JaffaCakes118.execsc.exedescription pid Process procid_target PID 1732 wrote to memory of 1788 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 89 PID 1732 wrote to memory of 1788 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 89 PID 1732 wrote to memory of 1788 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 89 PID 1788 wrote to memory of 4676 1788 csc.exe 91 PID 1788 wrote to memory of 4676 1788 csc.exe 91 PID 1788 wrote to memory of 4676 1788 csc.exe 91 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92 PID 1732 wrote to memory of 5076 1732 e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e55eea88697151e211ff353fad78c9c6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skpbvwxf.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC40D2.tmp"3⤵PID:4676
-
-
-
C:\Users\Admin\AppData\Roaming\lshss.exeC:\Users\Admin\AppData\Roaming\lshss.exe2⤵
- Executes dropped EXE
PID:5076
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5292adfef19aa8825d14fba86fa18c86b
SHA10371d69282e6327313a63c72a92f961e13909104
SHA256fc788567d7ad1022dd9cc6802dd802d979f7816224e3db2738433b1f11cb0b9a
SHA512eed53863fa8b20f96960744ee4f1ddfb07ce90d50be6a75df5e50ba5c413ab7a9bf1349f90a06c63cc1faa85806b5185bfa092094d9335fb8295097fd3ffd305
-
Filesize
5KB
MD51c3e4c3bd5307d66e867991a3120f374
SHA14118f18c6b241f34653b6e716a8a714ec03559c1
SHA256dac4ab449f50f0d8490949b44f8ddcdcef3e618a16b309aee3add39084221d94
SHA512cfedf77b2c57a4d0478e6e17004f5a9041790ba0dd5083a7a55abf833edea7987c7e1168c1c77158449ffef38723a3e7e94343385365f92acba7d37d2b875eda
-
Filesize
16KB
MD513d0d61085689f96c51116d270aa3b2e
SHA1dcc67b7aa625cb1ab1ce95e162c8c47dd5339b9e
SHA256cfac93f70813676cce818d22437ef49fc03ad669be219f5f8e9b36058d05712b
SHA512ee443a16dff0f46b9ba448075bdbe6110568989e9b39eff30fa3e7e5f200a816f4e20df49fddb588afbd3c7bf3a277ccadc744015af34a2e5bf8c4cc08e5dbd1
-
Filesize
652B
MD518a3c7778a435ef6ab236f0e34585291
SHA1b00222d4c1dd9eeb03f869918317498321b13d66
SHA2565e0b843c20c452070f8bbb14c176db0fef75c2063000044dcfe2aaf57b1c7f6a
SHA51289bc57544f608c6f1824219ab54666ffad5dc0bac98f8582c57c8ea4800d02db1bce523b6f184bd3e26771055f070946bdae6fa7d6ec82e6c5155c5509ecfccb
-
Filesize
4KB
MD5b63430207638c1a36b9b27002e0da3da
SHA154356082f32c71498c4ac5f85f4588e0d1c57ad0
SHA256fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193
SHA51229ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737
-
Filesize
206B
MD5673de56976ef48788b29952e9e68b588
SHA13749eb1a10241d0ef9fdae88776350a2379c1dc0
SHA256a908ccea145de5a4a47e547c1904035c11e2fbaa96eec78f0f50b97701d61a8b
SHA5123118305a898dc8936123b548fe1055052831aeae4c28d3547a8b74c5f02be01b24bc527e7990e6733b1f4f3e112c5fa66fb6d0375584497a77b6a8b4c00d43c3