e1878830854fcc655a72c96084615920a820480cf69127943494ea0a7b248373

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe
Size

82KB
MD5

ec43f40c31a889034b6c31588da5c64c
SHA1

acd4d746dce75ae97c3aae8e741b88d1f9d06c5a
SHA256

e1878830854fcc655a72c96084615920a820480cf69127943494ea0a7b248373
SHA512

384b05dbdd493a419fab3a07229f17944714815d64216f863c6fc1d0f2569acf013156a3ddcf133dc49660a2d7fa2b15e379253567b8b2a58c61545960013f29
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitD+Xue9hwn0Bt5io:qKtfDwsjPThTYszDH2fle9hwn8v

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2748	Logo1_.exe
2580	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2516	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe
2748	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2516	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2516	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2516	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2516	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	28
PID 2252 wrote to memory of 2748	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2748	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2748	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2748	2252	ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe	30
PID 2748 wrote to memory of 1132	2748	Logo1_.exe	20
PID 2748 wrote to memory of 1132	2748	Logo1_.exe	20
PID 2516 wrote to memory of 2580	2516	cmd.exe	31
PID 2516 wrote to memory of 2580	2516	cmd.exe	31
PID 2516 wrote to memory of 2580	2516	cmd.exe	31
PID 2516 wrote to memory of 2580	2516	cmd.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a27EB.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2580
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a27EB.bat

Filesize
614B

MD5
b955222b7fa222806f9cef4538dc7c1e

SHA1
1485ff11337d9fbd6ae7c91f857faa426a86cffd

SHA256
ab872be78bbe1948538fcaad909e0f5aa5794f81e2002504a5f5904dd06d3250

SHA512
bacd3ec458d28b03f34ab4cf76d1e3103e7e24e9f1cc2c992a1a386f7f7fbbe53ed66972762e683cace3d0f2fc2ec74f2fb8b6944cdb4563149dc1c70ef78105

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe.exe

Filesize
23KB

MD5
4f7133b1963be15aba28474f280a96ed

SHA1
6d55b874085219c6564d986b6bf17c6d1e55e95c

SHA256
c15341115908fdda3bdae7021930a088b1652a2fbaa992da7471fc315d1c0c03

SHA512
9f36e21c823eefe52cd11c69a847d394b135c4de02fcc27b4365fd98bc4236ba8252c688753b2499cb14900dd67f22e894248c2ee0ce5ebb817c8d2b4c4e66cd

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
d0d61c67293a445db5948849adae35ab

SHA1
bfba28b28f49d507a45565c957ba09f7473a44bb

SHA256
7bf80d6f1f51ba8dd4658d5c902d648d94fbba8e8e7fac8f4df4dbe29293f6e6

SHA512
46c1c4025bf8f616be76c9a5cc2ec8cc96ea095923a1665905cc847c9dfcbfaba12570eab765cdc0954069492c3098a5113abfcb0888376ddf19ce6ce7c7f786

Download Submit
memory/1132-19-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2252-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2748-243-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download