Analysis
-
max time kernel
177s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10-04-2024 11:26
General
-
Target
eaf542dd8a8094cde3fd9767497c06f3_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
eaf542dd8a8094cde3fd9767497c06f3
-
SHA1
e8f51145b8506ea14cd111d292450fff0be82b19
-
SHA256
57915804648a28ef848d9ef8b400660e828d516e53a3a91265b467bb95db9e89
-
SHA512
ec9f5de333718c0c0a4cdcd1a49439581d0029528407cfdd4aa2a798a0f0c1b3d02b23d8c8a99c20a97f4a60f685e7e12eb1635332155a92c9141a990d67577a
-
SSDEEP
49152:Egm7B/qk5xqQl+Xphug3rl2yFIt+65eVfTorTRo7:Jm7B/9/7eu/COrTq
Malware Config
Extracted
nullmixer
http://marisana.xyz/
Extracted
smokeloader
pub6
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ASPack v2.12-2.42 4 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 30 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eaf542dd8a8094cde3fd9767497c06f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eaf542dd8a8094cde3fd9767497c06f3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS03AF81D6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS03AF81D6\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_1.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS03AF81D6\karotima_1.exekarotima_1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c karotima_2.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS03AF81D6\karotima_2.exekarotima_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 3724⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DBCC7A02-6624-43A0-ABAE-E49CBF0B7601} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csuvuedC:\Users\Admin\AppData\Roaming\csuvued2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1243⤵
- Loads dropped DLL
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD59108ad5775c76cccbb4eadf02de24f5d
SHA182996bc4f72b3234536d0b58630d5d26bcf904b0
SHA256c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
SHA51219021a28555bba1fe1bdcdc8845f1bcadebd256c7db02b9329d6b44ae01a123a00e162cc34a97ba51f088cafa6f54ab1de8f82f771ac54b94a3a796f84f73362
-
Filesize
336KB
MD52ff9c527ec0a3f147a05e323901d80a2
SHA1fedc4bade881878bd7a97df09f89e6e4bf7d8e6e
SHA256b52cc9870c8540fef3adb945edc11134747bfdae420f7b1e5b37f60d28188165
SHA5120f33bc887c24dc8bba9f3749fb70a8489d0f51ef3dc0b30295548b7f0698ae0239a6d29ece52775335a811cbf3b31bc3a6e550505c05d7e08d96853ef72eb6a4
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
290KB
MD50adbf20ecc69c2f9df3fb4af96b8660d
SHA1c38ccbb6766ac9c8441f5322144dbadd6c2d2639
SHA2568b43fcc176c108c312e0d3af6ae897a6416f6754556dfd013a34559546197310
SHA512f109a8fdd892374aaa73b2523fe981e9b2b68bc53406938414e532b7a529ba821752e9d716061bcbfb30567759778142da116e665f5dce62f85bba7485f99998
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.5MB
MD5fb0b833f695d52b7a9cc308b48136710
SHA18899b9196dad0c2d8e9900f2d8cdb10aff9ed87b
SHA256f3e28af372f1ecbe4bfc290214c09e4ba3485556ebc847971009996cd92daa48
SHA5129c77ce45b8eb09085f15ab8ec7301cf2d27e9ff2689089591576cb96b248fc58709934c38a60213f710cca8bd0276f7b206f18cadef5c392d95ad783f7540e88
-
Filesize
444KB
-
Filesize
444KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
84KB
-
Filesize
1024KB
-
Filesize
444KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
140KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
140KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.1MB