Overview

overview

7

Static

static

3

ebd655aa7f...18.exe

windows7-x64

7

ebd655aa7f...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebd655aa7f8b4d4efe09d73fff120bbd_JaffaCakes118.exe

  • Size

    7.6MB

  • MD5

    ebd655aa7f8b4d4efe09d73fff120bbd

  • SHA1

    6d7576b7a8af97b04aea0d9f3a55da750dcca121

  • SHA256

    bc43ee0eff59c762cf1b1c6cdabc578f83c36646ce4936797dcdb30b756975ba

  • SHA512

    ff1f016a7e8592478ba7669758fa2d680b237a247d0295d6f5b3cdbd41bdb496ede0758d719c1e8bc60ebcd614612dbb7f69fc75e90eaa97b9fc0377ee76ae98

  • SSDEEP

    196608:QlMlTiAuFyspTje2axQsUBUJ1hnYwMr+39RIFwacGKjv:QOTZ6VjaQbUHhTMrcJacGKT

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebd655aa7f8b4d4efe09d73fff120bbd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ebd655aa7f8b4d4efe09d73fff120bbd_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    PID:2728
  • C:\Windows\servbrow.exe
    "C:\Windows\servbrow.exe" /Service
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\servbrow.exe
      "C:\Windows\servbrow.exe" /Popup
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4684
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,13100272738549420251,6151825632958897606,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Mozilla Maintenance Service\Ws2Help.dll
      Filesize

      7.6MB

      MD5

      10b450a9f70d523af4150cfe866d1105

      SHA1

      691948a12a4a1bcd791a46a3864de9b5f1fdc4dc

      SHA256

      d6949bf6c695a356ee2a1a3884b9a4570e978cbe5f9043565adc167fde559389

      SHA512

      ac906efb568e989d59504c19e54e66f7819f5d4fe370ad3dc12fb45d988ed403dd5ebcb4388712eb0f56e5a7754eeed725875b178222100834184ad97ce8482e

      Download Submit

    • C:\Windows\servbrow.exe
      Filesize

      7.6MB

      MD5

      a5563adb74da047833454888acf2deac

      SHA1

      7bdc5ab78022018a87f6fe696f66339f6e582b4f

      SHA256

      2f8368b95a7d2a8be3fcd6195b9f8b78bcd0bc6aa1a7fa128014b7d9eab7574d

      SHA512

      74131d59999d84bc1ba2bb306b2c2fa85ea9ff94454b4c14d42df2034e5fc5f1e054c3c3ea2ab863b0183924432d40bdd1dba9b370b3df0b983d729ebf92399f

      Download Submit