Overview

overview

7

Static

static

3

ebd655aa7f...18.exe

windows7-x64

7

ebd655aa7f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 19:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ebd655aa7f8b4d4efe09d73fff120bbd_JaffaCakes118.exe

  • Size

    7.6MB

  • MD5

    ebd655aa7f8b4d4efe09d73fff120bbd

  • SHA1

    6d7576b7a8af97b04aea0d9f3a55da750dcca121

  • SHA256

    bc43ee0eff59c762cf1b1c6cdabc578f83c36646ce4936797dcdb30b756975ba

  • SHA512

    ff1f016a7e8592478ba7669758fa2d680b237a247d0295d6f5b3cdbd41bdb496ede0758d719c1e8bc60ebcd614612dbb7f69fc75e90eaa97b9fc0377ee76ae98

  • SSDEEP

    196608:QlMlTiAuFyspTje2axQsUBUJ1hnYwMr+39RIFwacGKjv:QOTZ6VjaQbUHhTMrcJacGKT

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 14 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebd655aa7f8b4d4efe09d73fff120bbd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ebd655aa7f8b4d4efe09d73fff120bbd_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    PID:2868
  • C:\Windows\servbrow.exe
    "C:\Windows\servbrow.exe" /Service
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\servbrow.exe
      "C:\Windows\servbrow.exe" /Popup
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1652

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll
          Filesize

          7.6MB

          MD5

          e40074b1a7c60ab4470c62501ba7e10a

          SHA1

          ddc2d661e06a981cbe78a32d470f5294cf011595

          SHA256

          0b488b2e3c0e997556d1ce96e1060cb245caaa8f32177c27b1691d3a7c078882

          SHA512

          5e4dfa2d8d5530fc749ca2a1858c159c3daf38843cb98cb612ec6f97e82894a21e22ea10c41f0f981b5b84fcbc914653dbb113e8b162cc4e3913acd7ba52d45b

          Download Submit

        • C:\Windows\servbrow.exe
          Filesize

          7.6MB

          MD5

          ee9f3d14565232b7d3bcc9c9a776217d

          SHA1

          0dff145e811406981fa6429c5858587c39840295

          SHA256

          a33ae81a71ef531692279f196bbf3e8607500ba22bcc34e69082909dac203bd1

          SHA512

          2811768fbfb5e9cd28c7362e36a94a75485767a0a3e82d02d3bdf6b71773b1e9b90042e2b5c81b0a9f0296713905cfeeb7454fd8a654eede55ddd2e169569f66

          Download Submit