Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 02:19
Behavioral task
behavioral1
Sample
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe
-
Size
354KB
-
MD5
f710a2d33d63a764233266d1956513c0
-
SHA1
b69fea2fd572b9726fd49c6e62c5b4c4a7c2d675
-
SHA256
6b40d28502a2b197934f8bfbbf30f9281b5d9f92acfadf3ce421a10e7d1f692c
-
SHA512
74f1c0f71cad9f4695f07c989d703efc3bd895a33a9e436e285d78a69e1b377b6c4c9c8e617b1d43f289766a48dbd54a862aa058d57e626fcfe909f574a12f73
-
SSDEEP
6144:wx3yO8R7r6mKkVrlBmUhruSHN+KTFHs0WcnGcDTuglLfJkhsmRi9wQ:wIOunPjBdCMN+KTps0FG0uglLfJQsmR
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\msiaxz32.dll acprotect -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2460 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/652-0-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/652-1-0x0000000000400000-0x0000000000468000-memory.dmp upx C:\Windows\SysWOW64\msiaxz32.dll upx behavioral2/memory/2460-10-0x0000000010000000-0x0000000010087000-memory.dmp upx behavioral2/memory/2460-15-0x0000000010000000-0x0000000010087000-memory.dmp upx behavioral2/memory/2460-22-0x0000000010000000-0x0000000010087000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msiaxz32.dll,EmYMsld" f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
Processes:
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\msiaxz32.dll f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msiaxz32.dll f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1784 652 WerFault.exe f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exepid process 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f710a2d33d63a764233266d1956513c0_JaffaCakes118.exerundll32.exedescription pid process target process PID 652 wrote to memory of 2460 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe rundll32.exe PID 652 wrote to memory of 2460 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe rundll32.exe PID 652 wrote to memory of 2460 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe rundll32.exe PID 652 wrote to memory of 4392 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe msedge.exe PID 652 wrote to memory of 4392 652 f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe msedge.exe PID 2460 wrote to memory of 4392 2460 rundll32.exe msedge.exe PID 2460 wrote to memory of 4392 2460 rundll32.exe msedge.exe PID 2460 wrote to memory of 4392 2460 rundll32.exe msedge.exe PID 2460 wrote to memory of 4392 2460 rundll32.exe msedge.exe PID 2460 wrote to memory of 4392 2460 rundll32.exe msedge.exe PID 2460 wrote to memory of 4392 2460 rundll32.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:4392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:82⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f710a2d33d63a764233266d1956513c0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe msiaxz32.dll,EmYMsld2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 6922⤵
- Program crash
PID:1784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 652 -ip 6521⤵PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\msiaxz32.dllFilesize
176KB
MD5ce7d70fee773b5060dfadae59ee44c50
SHA172d1b5169a317d379cefcf6dd81532b55c84d0ba
SHA256819711654751fa54b36659d79214f4a1c43b7886b4e122f68c2133b4f4128dcf
SHA5121fdb02fbf85a3c1e01b4406889736bbc02d776c46252c4db2606010209f7a4adf39344ace733c9ca5d06a188c8235350d1d0f68e3e818c1864ed883288b9da44
-
memory/652-0-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/652-1-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/652-2-0x00000000021B0000-0x000000000220A000-memory.dmpFilesize
360KB
-
memory/652-6-0x00000000028E0000-0x0000000002967000-memory.dmpFilesize
540KB
-
memory/652-5-0x00000000028E0000-0x0000000002967000-memory.dmpFilesize
540KB
-
memory/652-4-0x00000000028E0000-0x0000000002967000-memory.dmpFilesize
540KB
-
memory/652-14-0x00000000021B0000-0x000000000220A000-memory.dmpFilesize
360KB
-
memory/652-12-0x00000000028E0000-0x0000000002967000-memory.dmpFilesize
540KB
-
memory/2460-10-0x0000000010000000-0x0000000010087000-memory.dmpFilesize
540KB
-
memory/2460-15-0x0000000010000000-0x0000000010087000-memory.dmpFilesize
540KB
-
memory/2460-22-0x0000000010000000-0x0000000010087000-memory.dmpFilesize
540KB