Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 16:09
Behavioral task
behavioral1
Sample
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
-
Size
274KB
-
MD5
f3d648c4f3a0f9cfbead90e546efe8f6
-
SHA1
cba4d6e13b5f1e766914ef65ff50c19bb295c17f
-
SHA256
cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93
-
SHA512
bdeae22637a4be786fe8c4ef59ef35aeb4de2c339fc1728c47a8fd148528cb4ab92f84e6839727275f2d14d131a95d477ee50b8800aaa17a538f8bef1c04b213
-
SSDEEP
6144:Rf+BLtABPD9NF/DVGK7zeNL+dN41V6GIeyXiRA1D0bBi:HNKK7zeNL2Y69eyXH1Dai
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1kXoCYdJjwftfW7KLWuy0
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exepid Process 1648 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe 1648 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe 1648 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe 1648 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 1648 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411B
MD5313b258500916126d004f43e25904a36
SHA14d0e2f93f05337c0ff23fcb21b6ddc690eb04ab9
SHA25612b226e4968921a409eb929cce0998a0c2b2563f14841ddcf7a3ddbb635052fb
SHA512c67a0377f8ef98e73448d8edd7b089fc1c56e43d532f0d9ef4840e103887f403b8f499766fe8021df2ffb6c7dfdee8a4df82137c94ad66ed96966b0fdf07f47d