Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 21:00

General

  • Target

    e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe

  • Size

    5.5MB

  • MD5

    e5d8fd3aeb2df221386026d477c9a29f

  • SHA1

    b0282c62eb15642255d4dcf7709a5480ba49c04c

  • SHA256

    e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5

  • SHA512

    e5ba2b989683672dfd02cfddf685dca91964c0a4cc89a9b398090485cc47e67a6df585c1f4e0a1c3b77b62ce65deb7122b71309226589a586167464b3967f638

  • SSDEEP

    6144:btzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9SToScEMdFDIDIDVPQW9e7w4x4Qc:btzE5elwLz9TrszMnGGVoxU

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5488.tmp\5489.tmp\548A.bat C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        3⤵
          PID:1684
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp3.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""
          3⤵
            PID:1664
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y "
            3⤵
              PID:4636
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_mp4.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""
              3⤵
                PID:4748
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y "
                3⤵
                  PID:2368
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" FOR /F "tokens=1,* delims=: " %j in (InfList_png.txt) do copy /y C:\Users\Admin\AppData\Local\Temp\e5d8fd3aeb2df221386026d477c9a29f_JaffaCakes118.exe "%j:%k""
                  3⤵
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  PID:4064

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4

              Filesize

              5.5MB

              MD5

              e5d8fd3aeb2df221386026d477c9a29f

              SHA1

              b0282c62eb15642255d4dcf7709a5480ba49c04c

              SHA256

              e528a7df88f2edb9a6b9d125fcf360ec4232de036f2ce9ef40c6183b957371e5

              SHA512

              e5ba2b989683672dfd02cfddf685dca91964c0a4cc89a9b398090485cc47e67a6df585c1f4e0a1c3b77b62ce65deb7122b71309226589a586167464b3967f638

            • C:\Users\Admin\AppData\Local\Temp\5488.tmp\5489.tmp\548A.bat

              Filesize

              7KB

              MD5

              90ff70f2778f116069b3d3a6cc0ab36e

              SHA1

              02a2f1a86ebb33a06f0392c365bea6e283e65ea0

              SHA256

              24581f8d20043f2cfc2ca639054813a59181cb284af37872dc9578b837ec4b24

              SHA512

              bcecb81121f8f7f29a50c79b01718bd92dda6054a55ab5ef440181b24352c973355d3bf4f0a780dc8fa5b22798dbe35b789933062dfa6385d8fc22721b36b725

            • C:\Users\Admin\AppData\Local\Temp\InfList_mp3.txt

              Filesize

              112B

              MD5

              a7056e4034a1ab2e5c702872777b53d4

              SHA1

              2f9c08eb41c885a1bd5792fee317143eefb84b87

              SHA256

              876f208b4ba4caac32e17b70bb08a4205a50806898b9c18ac2d6ac2ae7d18bff

              SHA512

              406581d1d7b3b9e025d574ca37e495fb3f4db589e2def7ab835a6a5592e233dd56c721e4c2f8a6e880def433abd95dbd6494c71e6ebd222614b7d57ffd1edc4c

            • C:\Users\Admin\AppData\Local\Temp\InfList_mp4.txt

              Filesize

              2KB

              MD5

              6dbf4182cb7bb750dcf0dcb011580b85

              SHA1

              b3e448cf78c4645c001931748c0567fd23efcee5

              SHA256

              6cd2086d84385e9cfec76572888edb6b535e97f4175d66455269de9686742851

              SHA512

              456de0f9461a32a5143ea38b88e61a825a9ecdb041f86bb57a48f340104f7d8c94baf89f4358090772436dcf19b4935fccd7e055751f180a93c233a27465237e

            • C:\Users\Admin\AppData\Local\Temp\InfList_png.txt

              Filesize

              1.7MB

              MD5

              d9e55a59d2fef4c320dda108699a31db

              SHA1

              2be85caab1f4b004861912129ae90ec19b4534b4

              SHA256

              19d27701ecc18710de79eb0eb7bf8e5eaf0d3b15a08010db20f0db592f76a4a5

              SHA512

              3f2751ad610993e30884a22c52b25006f8af6fc0114bf6158d8312cbd3ce5013258e8ec65fdc7d763a1e4a1031abaf0b4fdedd6d632fa862689d5d52618c7f61