Overview

overview

7

Static

static

3

ec43f40c31...18.exe

windows7-x64

7

ec43f40c31...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 23:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe

  • Size

    82KB

  • MD5

    ec43f40c31a889034b6c31588da5c64c

  • SHA1

    acd4d746dce75ae97c3aae8e741b88d1f9d06c5a

  • SHA256

    e1878830854fcc655a72c96084615920a820480cf69127943494ea0a7b248373

  • SHA512

    384b05dbdd493a419fab3a07229f17944714815d64216f863c6fc1d0f2569acf013156a3ddcf133dc49660a2d7fa2b15e379253567b8b2a58c61545960013f29

  • SSDEEP

    1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitD+Xue9hwn0Bt5io:qKtfDwsjPThTYszDH2fle9hwn8v

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3556
      • C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6BAA.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:4324
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4712
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:112

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\7-Zip\7zFM.exe
              Filesize

              989KB

              MD5

              f07be78e0ad355e65ba2ce5a1483fbab

              SHA1

              38fdf7a17ff128326adf437902be434b722781be

              SHA256

              11de308350886d8390f27e00570ef6055c9eb0ae2e484009c000bf7cce7c8f82

              SHA512

              0ca4c59cf8207a0a7daeee788f74206f8b6737c9d58ad34a7d6fd6056d45fe655aa452df2c8867459e0c8698bec61595db854e65f548242e8bd115d29b68e993

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\$$a6BAA.bat
              Filesize

              614B

              MD5

              d500e927cbc2ff50aafb296cd6db3f76

              SHA1

              4da8535989b793eb5d2e2266fa38c83a46317bd7

              SHA256

              673694e2970287c0a07cf5d572912a26d0c41da45a1620557b4b3ac6709dfe51

              SHA512

              75917b4f93763a83565c8e1091060239334b3e873991cd0c590ba6d101510bb6e2e12736b3bfbb66a54c6c81b7adbe686a4863943ba50f73dbd59b064e005d7f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ec43f40c31a889034b6c31588da5c64c_JaffaCakes118.exe.exe
              Filesize

              23KB

              MD5

              4f7133b1963be15aba28474f280a96ed

              SHA1

              6d55b874085219c6564d986b6bf17c6d1e55e95c

              SHA256

              c15341115908fdda3bdae7021930a088b1652a2fbaa992da7471fc315d1c0c03

              SHA512

              9f36e21c823eefe52cd11c69a847d394b135c4de02fcc27b4365fd98bc4236ba8252c688753b2499cb14900dd67f22e894248c2ee0ce5ebb817c8d2b4c4e66cd

              Download Submit

            • C:\Windows\Logo1_.exe
              Filesize

              58KB

              MD5

              d0d61c67293a445db5948849adae35ab

              SHA1

              bfba28b28f49d507a45565c957ba09f7473a44bb

              SHA256

              7bf80d6f1f51ba8dd4658d5c902d648d94fbba8e8e7fac8f4df4dbe29293f6e6

              SHA512

              46c1c4025bf8f616be76c9a5cc2ec8cc96ea095923a1665905cc847c9dfcbfaba12570eab765cdc0954069492c3098a5113abfcb0888376ddf19ce6ce7c7f786

              Download Submit

            • memory/2844-6-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4712-232-0x0000000000400000-0x0000000000422000-memory.dmp

              Filesize

              136KB

              Download