e00944f0f776f689f24f4940d5a676f6d5344bbe6775296af6e9b90945b4ba22

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 20:14

Target

f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
Size

1.6MB
MD5

f43e01bdd7ffa5c1b023e9add7085a8b
SHA1

b279c4ceb6e62f5f01f0a033f2733771ed159223
SHA256

e00944f0f776f689f24f4940d5a676f6d5344bbe6775296af6e9b90945b4ba22
SHA512

cb6fe849f1a368d228c19f1704c5a55ce0ead415464b8850b00480629a218f1402cd71e56372f88562a1ccfa301d3fc0187c00cd10e383f6f7098ac88b6edd61
SSDEEP

49152:UMfm9EugiVrTvTW3+t3fXxsIKPq8fTsEri:UBqLwvhs5PrW

Score

7^/10

spyware stealer

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
4884	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
4884	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
4884	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
4884	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4884	3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	86
PID 3524 wrote to memory of 4884	3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	86
PID 3524 wrote to memory of 4884	3524	f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f43e01bdd7ffa5c1b023e9add7085a8b_JaffaCakes118.exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_14e61ee0"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\pkg_14e61ee0\autorun.txt

Filesize
79B

MD5
6edd66b7e2edba93d32c5e905468f606

SHA1
8f5619b8bdb9697e9aab88d8bc7372667cdd70d1

SHA256
9a7d11e66934cf76fa796992ce4d67c823e46fc689a9425f928f16ed61b167b0

SHA512
4b7fcf2c2a9ab7941409882ffdcf3c5d07e1b30065cd5b2ee5bbdb45c67d59643d1289632f63cd937bb17af8f8cf13afa65275986d8d44407803793666246d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_14e61ee0\wrapper.xml

Filesize
766B

MD5
7df4b6db3fbbd712d68509779b2ed8fb

SHA1
45567d458538587b85ac1dc399d66e5a56e77238

SHA256
357da15a7e543cf183942d2e0e125d8814dd2bdb225ac5fe7d1fae0601b4473b

SHA512
6af8c86f81a07b5b7ea61bd11b64d3af1d92edddf80bd8ff28bd3d299cca86e8fc6007bb1c7be963715b439a16254136cba9aa9afb09ccca05eb111420c64c4f

Download Submit