211f69de0184d66a4525463a4056932fb7fea95d96ebfce09930d295e95488cd

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 12:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
Size

643KB
MD5

e9f5788ba2b875d7debe7d398d0eb4b1
SHA1

821bfe0ddd6384c02a8c5565a1689702d3d44a53
SHA256

211f69de0184d66a4525463a4056932fb7fea95d96ebfce09930d295e95488cd
SHA512

ac6d1e2882120e26ca1d99e77bb0c64923e086e697ae839f4e6b0ec237fb3880859f2e03d5729107685470068691353388fbd1adace9bd80894133d2cdc5bd5b
SSDEEP

12288:VLG6JA70VxW6hSlLOQ0UCKO6H88DdMBLZoVjiIwaghvTDAsAuFekhX7xp/L6i6Y:VC6JK2hkLOhUCKO6cidw6jWaQ/FekhL1

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2132	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
372	rar.exe
4580	rar.exe
2364	lsess.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\windows\Entry1 = "c:\\windows\\web\\printers\\123.bat"	regedit.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\g:	cmd.exe
File opened (read-only)	\??\h:	cmd.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File created	\??\c:\windows\web\printers\1.reg	rar.exe
File created	\??\c:\windows\web\printers\gl.txt	rar.exe
File opened for modification	\??\c:\windows\web\printers\gl.txt	rar.exe
File opened for modification	C:\windows\web\printers	attrib.exe
File opened for modification	\??\c:\windows\dell\lsess.txt	rar.exe
File created	\??\c:\windows\web\printers\abc.vbs	rar.exe
File opened for modification	\??\c:\windows\web\printers\jinshan.vbs	rar.exe
File opened for modification	\??\c:\windows\web\printers\SVCH0ST.ini	rar.exe
File created	\??\c:\windows\web\printers\md5.txt	cmd.exe
File opened for modification	\??\c:\windows\web\printers\zzz.rar	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\web\printers\abc.vbs	rar.exe
File created	\??\c:\windows\web\printers\3.reg	rar.exe
File opened for modification	\??\c:\windows\web\printers\4.reg	rar.exe
File opened for modification	\??\c:\windows\web\printers\k.bat	rar.exe
File created	\??\c:\windows\web\printers\SVCH0ST.ini	rar.exe
File opened for modification	\??\c:\windows\web\printers\1.reg	rar.exe
File created	\??\c:\windows\web\printers\jinshan.vbs	rar.exe
File opened for modification	\??\c:\windows\web\printers\3.reg	rar.exe
File created	\??\c:\windows\web\printers\4.reg	rar.exe
File created	\??\c:\windows\web\printers\SVCH0ST.EXE	rar.exe
File opened for modification	\??\c:\windows\web\printers\SVCH0ST.EXE	rar.exe
File opened for modification	\??\c:\windows\web\printers\rar.exe	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\intell\1.txt	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\web\printers\jin.vbs	rar.exe
File created	\??\c:\windows\dell\lsess.exe	cmd.exe
File created	\??\c:\windows\web\printers\k.bat	rar.exe
File created	\??\c:\windows\ztop\svchost.exe	cmd.exe
File created	\??\c:\windows\dell\lsess.txt	rar.exe
File created	\??\c:\windows\web\printers\123.bat	rar.exe
File opened for modification	\??\c:\windows\web\printers\123.bat	rar.exe
File opened for modification	\??\c:\windows\web\printers\124.bat	rar.exe
File opened for modification	\??\c:\windows\web\printers\5.reg	rar.exe
File opened for modification	\??\c:\windows\ztop\svchost.exe	cmd.exe
File opened for modification	\??\c:\windows\dell\lsess.exe	cmd.exe
File created	\??\c:\windows\web\printers\QQlog.exe	rar.exe
File opened for modification	\??\c:\windows\web\printers\QQlog.exe	rar.exe
File created	\??\c:\windows\web\printers\360s.txt	rar.exe
File opened for modification	\??\c:\windows\web\printers\360s.txt	rar.exe
File opened for modification	\??\c:\windows\web\printers\usbhard.rar	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
File created	\??\c:\windows\web\printers\jin.vbs	rar.exe
File created	\??\c:\windows\web\printers\5.reg	rar.exe
File created	\??\c:\windows\web\printers\125.bat	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
File created	\??\c:\windows\web\printers\124.bat	rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4456	2364	WerFault.exe	102

Runs .reg file with regedit 3 IoCs

pid	Process
3372	regedit.exe
1988	regedit.exe
1288	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2696	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2716	2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe	93
PID 2864 wrote to memory of 2716	2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe	93
PID 2864 wrote to memory of 2716	2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe	93
PID 2716 wrote to memory of 372	2716	cmd.exe	95
PID 2716 wrote to memory of 372	2716	cmd.exe	95
PID 2716 wrote to memory of 372	2716	cmd.exe	95
PID 2716 wrote to memory of 2132	2716	cmd.exe	96
PID 2716 wrote to memory of 2132	2716	cmd.exe	96
PID 2716 wrote to memory of 2132	2716	cmd.exe	96
PID 2716 wrote to memory of 3372	2716	cmd.exe	97
PID 2716 wrote to memory of 3372	2716	cmd.exe	97
PID 2716 wrote to memory of 3372	2716	cmd.exe	97
PID 2716 wrote to memory of 4580	2716	cmd.exe	98
PID 2716 wrote to memory of 4580	2716	cmd.exe	98
PID 2716 wrote to memory of 4580	2716	cmd.exe	98
PID 2864 wrote to memory of 1552	2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe	100
PID 2864 wrote to memory of 1552	2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe	100
PID 2864 wrote to memory of 1552	2864	e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe	100
PID 1552 wrote to memory of 2696	1552	cmd.exe	103
PID 1552 wrote to memory of 2696	1552	cmd.exe	103
PID 1552 wrote to memory of 2696	1552	cmd.exe	103
PID 1552 wrote to memory of 1376	1552	cmd.exe	104
PID 1552 wrote to memory of 1376	1552	cmd.exe	104
PID 1552 wrote to memory of 1376	1552	cmd.exe	104
PID 2716 wrote to memory of 2364	2716	cmd.exe	102
PID 2716 wrote to memory of 2364	2716	cmd.exe	102
PID 2716 wrote to memory of 2364	2716	cmd.exe	102
PID 2716 wrote to memory of 1988	2716	cmd.exe	106
PID 2716 wrote to memory of 1988	2716	cmd.exe	106
PID 2716 wrote to memory of 1988	2716	cmd.exe	106
PID 2716 wrote to memory of 1288	2716	cmd.exe	107
PID 2716 wrote to memory of 1288	2716	cmd.exe	107
PID 2716 wrote to memory of 1288	2716	cmd.exe	107
PID 2716 wrote to memory of 2128	2716	cmd.exe	113
PID 2716 wrote to memory of 2128	2716	cmd.exe	113
PID 2716 wrote to memory of 2128	2716	cmd.exe	113
PID 2716 wrote to memory of 3108	2716	cmd.exe	114
PID 2716 wrote to memory of 3108	2716	cmd.exe	114
PID 2716 wrote to memory of 3108	2716	cmd.exe	114
PID 2716 wrote to memory of 2684	2716	cmd.exe	115
PID 2716 wrote to memory of 2684	2716	cmd.exe	115
PID 2716 wrote to memory of 2684	2716	cmd.exe	115
PID 2716 wrote to memory of 4616	2716	cmd.exe	116
PID 2716 wrote to memory of 4616	2716	cmd.exe	116
PID 2716 wrote to memory of 4616	2716	cmd.exe	116
PID 2716 wrote to memory of 2648	2716	cmd.exe	117
PID 2716 wrote to memory of 2648	2716	cmd.exe	117
PID 2716 wrote to memory of 2648	2716	cmd.exe	117
PID 2716 wrote to memory of 2832	2716	cmd.exe	118
PID 2716 wrote to memory of 2832	2716	cmd.exe	118
PID 2716 wrote to memory of 2832	2716	cmd.exe	118
PID 2716 wrote to memory of 1624	2716	cmd.exe	119
PID 2716 wrote to memory of 1624	2716	cmd.exe	119
PID 2716 wrote to memory of 1624	2716	cmd.exe	119
PID 2716 wrote to memory of 4156	2716	cmd.exe	120
PID 2716 wrote to memory of 4156	2716	cmd.exe	120
PID 2716 wrote to memory of 4156	2716	cmd.exe	120
PID 2716 wrote to memory of 4748	2716	cmd.exe	121
PID 2716 wrote to memory of 4748	2716	cmd.exe	121
PID 2716 wrote to memory of 4748	2716	cmd.exe	121
PID 2716 wrote to memory of 3516	2716	cmd.exe	122
PID 2716 wrote to memory of 3516	2716	cmd.exe	122
PID 2716 wrote to memory of 3516	2716	cmd.exe	122

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2648	attrib.exe
4156	attrib.exe
1624	attrib.exe
3516	attrib.exe
3108	attrib.exe
1376	attrib.exe
2128	attrib.exe
2684	attrib.exe
4616	attrib.exe
2832	attrib.exe
4748	attrib.exe
2132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9f5788ba2b875d7debe7d398d0eb4b1_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\web\printers\125.bat
  2⤵
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2716
- - \??\c:\windows\web\printers\rar.exe
    "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\usbhard.rar c:\windows\web\printers\
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:372
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +A +S +H c:\windows\web\printers
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:2132
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\windows\web\printers\1.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:3372
- - \??\c:\windows\web\printers\rar.exe
    "c:\windows\web\printers\Rar.exe" e -y -ping c:\windows\web\printers\zzz.rar c:\windows\dell\
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4580
- - \??\c:\windows\dell\lsess.exe
    c:\windows\dell\lsess.exe
    3⤵
    - Executes dropped EXE
    PID:2364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 528
      4⤵
      Program crash
      PID:4456
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\windows\web\printers\5.reg
    3⤵
    - Runs .reg file with regedit
    PID:1988
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\windows\web\printers\2.reg
    3⤵
    - Runs .reg file with regedit
    PID:1288
- - C:\Windows\SysWOW64\attrib.exe
    attrib -H -R d:\~1
    3⤵
    - Views/modifies file attributes
    PID:2128
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +R d:\setprter
    3⤵
    - Views/modifies file attributes
    PID:3108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -H -R e:\~1
    3⤵
    - Views/modifies file attributes
    PID:2684
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +R e:\setprter
    3⤵
    - Views/modifies file attributes
    PID:4616
- - C:\Windows\SysWOW64\attrib.exe
    attrib -H -R f:\~1
    3⤵
    - Views/modifies file attributes
    PID:2648
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +R f:\setprter
    3⤵
    - Views/modifies file attributes
    PID:2832
- - C:\Windows\SysWOW64\attrib.exe
    attrib -H -R g:\~1
    3⤵
    - Views/modifies file attributes
    PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +R g:\setprter
    3⤵
    - Views/modifies file attributes
    PID:4156
- - C:\Windows\SysWOW64\attrib.exe
    attrib -H -R h:\~1
    3⤵
    - Views/modifies file attributes
    PID:4748
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +R h:\setprter
    3⤵
    - Views/modifies file attributes
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\11a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - Runs ping.exe
    PID:2696
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -H c:\ma.exe
    3⤵
    - Views/modifies file attributes
    PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2364 -ip 2364
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11a.bat

Filesize
240B

MD5
33fd3c8efe8780270bffff10d338982d

SHA1
9f2e271aa3e8ba4e83cbcb9ba473f92507754721

SHA256
4979a52405a33302dcb3b0b6e66fb0b38f15708246406639293f8b2ad15514f8

SHA512
bb0e6ad1d26565cb5497caa7ee318c784091b6f187ac63f1b23ba8e6f5d9e1e6b311f3318bc87f363a948d065b6b7c678f8931b451fa04c20421e6f875cddbfa

Download Submit
C:\Windows\Web\printers\rar.exe

Filesize
310KB

MD5
0a5680183c0089a64621e211917664d8

SHA1
8525d73c99e28413e97a094c99950e1806786246

SHA256
c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

SHA512
b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

Download Submit
C:\Windows\dell\lsess.exe

Filesize
55.6MB

MD5
6d3e4561f374a11463e82ab60b52a907

SHA1
980e756772e57193521c58afb118336f60748f5b

SHA256
4257e753b91eaf9d028e0062a1938a593eaf8cba2aa6fcffa6869ddc9e5d795d

SHA512
4de233089d47441e0fe7465e1f5ef8f6b3d9eb5ee51b433d04258f50a2b96e2cd4dde1b550f01a1ef8f0515d4ccb123a4568e783e7ad3f19728879f279198c55

Download Submit
\??\c:\Windows\Web\printers\1.reg

Filesize
45KB

MD5
4ad724ba8346d8556e6e884727c0523e

SHA1
b53e2ec83b5b8441667b980fe6a53d69987fca89

SHA256
48c52c0934097cdd0aea155be18a2006f2dd6884d623a51b00baf3e5de3e1412

SHA512
fde2fb90a19fa00d040ade516fef8ca5f4463aee1a8af2fc85f41c3e818365086ff12491c330c8598bf071270bdbd863bbcdb5a5dde3d2523fbd1f6182eb33f3

Download Submit
\??\c:\Windows\Web\printers\5.reg

Filesize
22KB

MD5
3619b2192d1e0d4907f7d4702b4aa9e1

SHA1
1bb317bea13bb457d9ec71294e5c07c93cc9b8e6

SHA256
7da095327a1e11369d67d4f15d7c2e84cce9fb5d4cbac42d9b70bf0976300893

SHA512
8f2d8420dc2e92a4df42eab89bb612b2562ff6d152c4a6f651c64371089506673bf9f02a37ff1c3ad53a9ae0fe51aa9c47dcdb7e01a319df51306d58a601b7ff

Download Submit
\??\c:\windows\dell\lsess.txt

Filesize
55.6MB

MD5
526db4284f602cb880424f9459a6ce53

SHA1
c0ec731ae5e22420e9532485aeacf2e5bf6fc9b6

SHA256
14458b0f2963bb894d620ef724de3820cd775e27a092075a784f98cbd46d36b6

SHA512
36d72cf3cbd229cf7b3105f86b8600b64cdd1faed02c659f4b1d4d89d9fa5c7eee55c2e0398b45e6ca2ffd1757f2a6abc11229056da8aaade2d193c245e20006

Download Submit
\??\c:\windows\web\printers\125.bat

Filesize
1KB

MD5
1af018ff177dfbae562ac429cff786cb

SHA1
81f09865306d8c91d59bbec8a11ac874816f102c

SHA256
dda4aa27c7fd4b793bcadbd94c47dc997d66e293f910af3826de893b0381914a

SHA512
a76fba548576d2c99dac7e040bb140e29a68f55ee024174018345c4236e2a7ebda96d5ed1b66da85ae60d20485847e3cd38d34262be6c45475938f8d2182ab22

Download Submit
\??\c:\windows\web\printers\360s.txt

Filesize
36.6MB

MD5
9db87afc027bcb06705b5c918c74c84e

SHA1
a8330688c6cf9797fd68769979e9676613b76a59

SHA256
41b6ec359169e544c31194277d918480f7cda3607d4dc00b035dab6858791039

SHA512
badd60d1fc5b646f324e249c096960174cfadef7c38ca8ba9bcaa5d0c10ae1b67fdfdc1719e3863c1446392e56bd505478c8e564517e5b61ccece10cb06c3666

Download Submit
\??\c:\windows\web\printers\usbhard.rar

Filesize
235KB

MD5
f88fc7ec53733e37a823c1d6955afda5

SHA1
fff48a1387a612ff2aa012754a64d5534b5ac85e

SHA256
97ac32d6236176cf4bd52fe79bf7e9074e72918e6b0dd90062b672fdaeff16d2

SHA512
9df9bcd10269be12962bc8084581f529d0ac46f91fdc1c04d03fbbbfd8fd99c6938c7e72476cb41281bf07d6860d58bf39ffe2495a0c29e85ed10aad31cc45a6

Download Submit
\??\c:\windows\web\printers\zzz.rar

Filesize
232KB

MD5
a4ef777a4dd805ff81d88e26bf2fce43

SHA1
74344e53549c128ad7450c85738fab2df2715555

SHA256
bb578ce033793937421fc323fed18b9dbfc6e3cdcb9344a11a20a0415c257d4f

SHA512
dba1f668c438bcf68b13c907be983c7d40f5bece7f1daecc212bb1cc8cd4adb5698e0cbd2d0bfba5cbb90f6e8a0b436312200227a1e9534da180c9f45dda117c

Download Submit
memory/372-45-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2364-66-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2364-67-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2364-69-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/2864-61-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2864-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2864-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4580-55-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads