Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 02:45
Behavioral task
behavioral1
Sample
f281eed68163245661609f462a0c6266_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f281eed68163245661609f462a0c6266_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f281eed68163245661609f462a0c6266_JaffaCakes118.exe
-
Size
674KB
-
MD5
f281eed68163245661609f462a0c6266
-
SHA1
11bc8632b1f40116589fd3b13be379bcac75e045
-
SHA256
f29c642e2962616de5f5a909c391bbe4292902a11ffa774203b03e8711c84c48
-
SHA512
66494ee26ed66746ee51c31254245f5746ae9a0170fc255e851ad66320680219b022c66518e2ff3d2d470dd2f9cba4237b9f2bc018da514ade6ec6dba6bdfbb6
-
SSDEEP
12288:mofpljJgZSsAjAuYcVWfs6MDMVqfBdcmDBujHhVP:7JwcAuv0fKMVqJdc3hVP
Malware Config
Signatures
-
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/1972-0-0x0000000000840000-0x00000000008EE000-memory.dmp family_echelon -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f281eed68163245661609f462a0c6266_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f281eed68163245661609f462a0c6266_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f281eed68163245661609f462a0c6266_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 api.ipify.org 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1912 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 29 PID 1972 wrote to memory of 1912 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 29 PID 1972 wrote to memory of 1912 1972 f281eed68163245661609f462a0c6266_JaffaCakes118.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f281eed68163245661609f462a0c6266_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 f281eed68163245661609f462a0c6266_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f281eed68163245661609f462a0c6266_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f281eed68163245661609f462a0c6266_JaffaCakes118.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1972 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1972 -s 11402⤵PID:1912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\uDHwDDBw078BFBFF000306D2D0D833BC38\38078BFBFF000306D2D0D833BCuDHwDDBw\Browsers\Passwords\Passwords_Edge.txt
Filesize52B
MD5fdec4452a98b7d7f3dc83904cd82a724
SHA12b447ea859993ab549ee1547c72071e59cace07c
SHA25659b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235
SHA51287a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432
-
C:\Users\Admin\AppData\Roaming\uDHwDDBw078BFBFF000306D2D0D833BC38\38078BFBFF000306D2D0D833BCuDHwDDBw\Files\ConvertFromOut.txt
Filesize405KB
MD50c8eac937acbac62347d62f5c44b4b8b
SHA127023a3287d05321bb57da89c09fc6d5a4a0209e
SHA256acb36e788f514b4fdb95c31f99517c9844f8cac3597a353ba6a989bfeb7a81b1
SHA5129ce9af3d21fb0f79bd53e7d14199dbd37eb418b7f05c28ae0c70409f682c646c10bd0871215d61773935d41e039e29f51cf2425f01edd12b338a16c03fdfccfa