Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 09:42

General

  • Target

    f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe

  • Size

    197KB

  • MD5

    f7bbc60071623219f622b4e17e1f9cdc

  • SHA1

    cb11c5dc4a18271b5c1317d5117e6da8346975fc

  • SHA256

    181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5

  • SHA512

    3e0839d7c273da6283689769cab4ac1e0def92fbfbbc428dddbdc6cb7615c4232e9b59fe5e22a8d501cd66db9cc1ff8bbad55a5d46e76f8aabe203b16ed1bd75

  • SSDEEP

    6144:mzFu/4SvNGh4VhmkTNPQTqsTT0Tebd1T80B1+:H/4SVGh4nRITigNB1+

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
      2⤵
      • Drops desktop.ini file(s)
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1492
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:1992
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1972
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2464
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:2276
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:2076
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 2496
                  3⤵
                  • Program crash
                  PID:2128

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Defense Evasion

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Modify Registry

            1
            T1112

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Collection

            Data from Local System

            1
            T1005

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              bf207f988b677815c807554b908d4c40

              SHA1

              9a2a693f0250e1788809f96fa86f9301180d3876

              SHA256

              c611ac2af75d8bb66a4495bb41c3aa96b9620a135d29202e2dbb3cf66ff67890

              SHA512

              2a5f8a319c5a12906b365fa5fc127c598fd5fb62a1f57c12e66ed5a8c4801db5c9a4827ef082b924ad778bd0323b66ecfdc56180512f43d928a5ebdd3da0850d

            • C:\Users\Admin\AppData\Local\Temp\CabDED4.tmp
              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\TarDFA6.tmp
              Filesize

              177KB

              MD5

              435a9ac180383f9fa094131b173a2f7b

              SHA1

              76944ea657a9db94f9a4bef38f88c46ed4166983

              SHA256

              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

              SHA512

              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

            • C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\Admin@IKJSPGIM_en-US\Browsers\Firefox\Bookmarks.txt
              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            • C:\Users\Admin\AppData\Local\b1f8aad4c48cb339feeab12db2c86e4d\msgid.dat
              Filesize

              1B

              MD5

              cfcd208495d565ef66e7dff9f98764da

              SHA1

              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

              SHA256

              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

              SHA512

              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

            • memory/1672-1-0x0000000074100000-0x00000000747EE000-memory.dmp
              Filesize

              6.9MB

            • memory/1672-2-0x00000000047B0000-0x00000000047F0000-memory.dmp
              Filesize

              256KB

            • memory/1672-3-0x0000000000240000-0x0000000000254000-memory.dmp
              Filesize

              80KB

            • memory/1672-0-0x0000000000140000-0x0000000000174000-memory.dmp
              Filesize

              208KB

            • memory/1672-6-0x0000000074100000-0x00000000747EE000-memory.dmp
              Filesize

              6.9MB

            • memory/2640-4-0x0000000000400000-0x0000000000428000-memory.dmp
              Filesize

              160KB

            • memory/2640-80-0x00000000058B0000-0x00000000058F0000-memory.dmp
              Filesize

              256KB

            • memory/2640-11-0x00000000058B0000-0x00000000058F0000-memory.dmp
              Filesize

              256KB

            • memory/2640-10-0x0000000074080000-0x000000007476E000-memory.dmp
              Filesize

              6.9MB

            • memory/2640-9-0x0000000000400000-0x0000000000428000-memory.dmp
              Filesize

              160KB

            • memory/2640-7-0x0000000000400000-0x0000000000428000-memory.dmp
              Filesize

              160KB

            • memory/2640-186-0x0000000074080000-0x000000007476E000-memory.dmp
              Filesize

              6.9MB

            • memory/2640-187-0x00000000058B0000-0x00000000058F0000-memory.dmp
              Filesize

              256KB