Analysis
-
max time kernel
93s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 16:09
Behavioral task
behavioral1
Sample
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
-
Size
274KB
-
MD5
f3d648c4f3a0f9cfbead90e546efe8f6
-
SHA1
cba4d6e13b5f1e766914ef65ff50c19bb295c17f
-
SHA256
cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93
-
SHA512
bdeae22637a4be786fe8c4ef59ef35aeb4de2c339fc1728c47a8fd148528cb4ab92f84e6839727275f2d14d131a95d477ee50b8800aaa17a538f8bef1c04b213
-
SSDEEP
6144:Rf+BLtABPD9NF/DVGK7zeNL+dN41V6GIeyXiRA1D0bBi:HNKK7zeNL2Y69eyXH1Dai
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1kXoCYdJjwftfW7KLWuy0
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 freegeoip.app 3 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exepid Process 804 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe 804 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe 804 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe 804 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 804 f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f3d648c4f3a0f9cfbead90e546efe8f6_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ce291f3487fb6655b1740855099ee48
SHA1623b521899a54f5b759502e6195b37a8a74d9db0
SHA2560ff9145120a8ba8ea6a8ddf963ab391860dd46e74f8febf6f0df7b56c2624b5b
SHA5129746c8266276a785b937bbe905a7e763e558f6d05eeb0ec950dc179172456b32e6e23afb8001098dcdd91b739276690db568faa17c55114b21a177a40f43a299
-
Filesize
338B
MD55a85cc7246cd270b112b061463603d03
SHA152e4f3d1d11d96f9d147f8d2f5395d29eb6b345f
SHA256850c229b1ad026bbd71e876bfa37354c4ad69926c606402f4a1a60b6f217744c
SHA512c7943faf16e05ef5132a1de187a8bdf60bd6e2067001df77cc8934111bf7efdb33190918a9ddba2aa6bcd9518217cd2c07d37e0dfa7907be4c6fd5f3d96923b8
-
Filesize
573B
MD536fca1333ff406bb772c1488746f8e4f
SHA106e5993bed08a080ab545091990be8541d5daa27
SHA2560d4521544f289856033650368f601c4d619d4e9c946b70e8e38010554901989d
SHA5123e8d83db87580076af4e7022e5836094b1c148eb6666df0152736428be0b73d8250c9033a1ea99d201bca9271b6d0428b3c8fe5fbfe195cfb9ad51a7a0b860da
-
Filesize
601B
MD5c9897edd78fdf89b4b1d4967f849f004
SHA1034f19a5f7a8def3f833c015bb5313f1a1752ef0
SHA2564e7a65f7219a20325d8e19a5164c01231068d570d950ae4dab5a5b58e0f61b5b
SHA51259979ec54a06d7a0fce2100aaf76e156167851f99eb5de821327809a93fc06fd16949bad6147f6d0b62d6edf2d5cc568858fe40d9cf4a5e3cf662c445f58c576
-
Filesize
1KB
MD510dd6fab46c5e876841b4232580bb550
SHA1daa7417f18f86d25def6cab50812d9dfe8cfeb70
SHA2561bc79342097e05aa05bb2c0b84a819d0166ca3ecc03a7db12ca7db981a498314
SHA51247eee79baa12fc01d1ee76979b0fc76e77a22c170afede32d51cd201e42218a9d1e49eb78a73f44513313d724abd0d7c3b84eef9eac232cd5baf914627976990