Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 09:42
Static task
static1
Behavioral task
behavioral1
Sample
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe
-
Size
197KB
-
MD5
f7bbc60071623219f622b4e17e1f9cdc
-
SHA1
cb11c5dc4a18271b5c1317d5117e6da8346975fc
-
SHA256
181e46988f3f2140a1b6cd772050bd22cd966d919a03dd9023fa0d51e71629a5
-
SHA512
3e0839d7c273da6283689769cab4ac1e0def92fbfbbc428dddbdc6cb7615c4232e9b59fe5e22a8d501cd66db9cc1ff8bbad55a5d46e76f8aabe203b16ed1bd75
-
SSDEEP
6144:mzFu/4SvNGh4VhmkTNPQTqsTT0Tebd1T80B1+:H/4SVGh4nRITigNB1+
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3588-6-0x0000000000400000-0x0000000000428000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
Processes:
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe File created C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exedescription pid process target process PID 2920 set thread context of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1752 3588 WerFault.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exepid process 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exef7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe Token: SeDebugPrivilege 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exef7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 2920 wrote to memory of 3588 2920 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe PID 3588 wrote to memory of 3800 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe cmd.exe PID 3588 wrote to memory of 3800 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe cmd.exe PID 3588 wrote to memory of 3800 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe cmd.exe PID 3800 wrote to memory of 1948 3800 cmd.exe chcp.com PID 3800 wrote to memory of 1948 3800 cmd.exe chcp.com PID 3800 wrote to memory of 1948 3800 cmd.exe chcp.com PID 3800 wrote to memory of 3780 3800 cmd.exe netsh.exe PID 3800 wrote to memory of 3780 3800 cmd.exe netsh.exe PID 3800 wrote to memory of 3780 3800 cmd.exe netsh.exe PID 3800 wrote to memory of 4884 3800 cmd.exe findstr.exe PID 3800 wrote to memory of 4884 3800 cmd.exe findstr.exe PID 3800 wrote to memory of 4884 3800 cmd.exe findstr.exe PID 3588 wrote to memory of 4660 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe cmd.exe PID 3588 wrote to memory of 4660 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe cmd.exe PID 3588 wrote to memory of 4660 3588 f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe cmd.exe PID 4660 wrote to memory of 4020 4660 cmd.exe chcp.com PID 4660 wrote to memory of 4020 4660 cmd.exe chcp.com PID 4660 wrote to memory of 4020 4660 cmd.exe chcp.com PID 4660 wrote to memory of 744 4660 cmd.exe netsh.exe PID 4660 wrote to memory of 744 4660 cmd.exe netsh.exe PID 4660 wrote to memory of 744 4660 cmd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe2⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 14443⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3588 -ip 35881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\432d6a01c19570cbe26fd20901a58a63\Admin@NCRNVAGW_en-US\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7bbc60071623219f622b4e17e1f9cdc_JaffaCakes118.exe.logFilesize
605B
MD53654bd2c6957761095206ffdf92b0cb9
SHA16f10f7b5867877de7629afcff644c265e79b4ad3
SHA256c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4
SHA512e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79
-
memory/2920-4-0x0000000004A60000-0x0000000004A7E000-memory.dmpFilesize
120KB
-
memory/2920-1-0x0000000000110000-0x0000000000144000-memory.dmpFilesize
208KB
-
memory/2920-0-0x0000000074660000-0x0000000074E10000-memory.dmpFilesize
7.7MB
-
memory/2920-5-0x0000000004A80000-0x0000000004A94000-memory.dmpFilesize
80KB
-
memory/2920-3-0x0000000004AC0000-0x0000000004B36000-memory.dmpFilesize
472KB
-
memory/2920-2-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/2920-9-0x0000000074660000-0x0000000074E10000-memory.dmpFilesize
7.7MB
-
memory/3588-6-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3588-11-0x00000000053F0000-0x0000000005456000-memory.dmpFilesize
408KB
-
memory/3588-12-0x00000000056F0000-0x0000000005700000-memory.dmpFilesize
64KB
-
memory/3588-10-0x0000000074660000-0x0000000074E10000-memory.dmpFilesize
7.7MB
-
memory/3588-71-0x00000000064A0000-0x0000000006532000-memory.dmpFilesize
584KB
-
memory/3588-73-0x0000000006EE0000-0x0000000007484000-memory.dmpFilesize
5.6MB
-
memory/3588-87-0x0000000074660000-0x0000000074E10000-memory.dmpFilesize
7.7MB