Analysis
-
max time kernel
124s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 20:59
Static task
static1
Behavioral task
behavioral1
Sample
f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe
-
Size
57KB
-
MD5
f8bc15e2615d9e8785b01a43238a0d49
-
SHA1
bdb1ee853c42ce148615260da62e9e9a98d3b032
-
SHA256
cb8e12b2397aedf0cfcb13b4ecd67bfd5c90b6255d95e2ec0b09eb13ab4e442d
-
SHA512
005d3337b3fa43296eca49ea026273e2ccb98c5370b5d245573e157d2803c1e69683424c7a28725a1a663857c237811d806b8a621c64e51da13a34c9b98cf6a3
-
SSDEEP
384:RqDpIP+1N7OYRt5lvpW3ZW9lbQn86NQsImrIX/Gvj/8RXSp3giIaidm0w0gZyuEf:0D9xXxaZ0Qn86IdJRXTiIaqhXsyvR58c
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
pinch.exepid process 3028 pinch.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
pinch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pinch.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1420 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
pinch.exepid process 3028 pinch.exe 3028 pinch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pinch.exedescription pid process Token: SeDebugPrivilege 3028 pinch.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exedescription pid process target process PID 4088 wrote to memory of 3028 4088 f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe pinch.exe PID 4088 wrote to memory of 3028 4088 f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe pinch.exe PID 4088 wrote to memory of 3028 4088 f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe pinch.exe PID 4088 wrote to memory of 1420 4088 f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe EXCEL.EXE PID 4088 wrote to memory of 1420 4088 f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe EXCEL.EXE PID 4088 wrote to memory of 1420 4088 f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe EXCEL.EXE -
outlook_win_path 1 IoCs
Processes:
pinch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pinch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8bc15e2615d9e8785b01a43238a0d49_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pinch.exe"C:\Users\Admin\AppData\Local\Temp\pinch.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Ëèñò Microsoft Excel.xls"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pinch.exeFilesize
41KB
MD57f5ca412e9c0caf59902d688dc704235
SHA1dc694b2f0c2dd1c5bedea00917b33b766c284557
SHA256298019397fca6fa9f0a99f6fce4f39fe09bd79cf28707f3cc06919027363109a
SHA512eb317ee1c7f35362c98b13af9c5e9a917346639402d5cbb1ffd426cde2542c3d12aee0b10afd519edc5f9ac9d32518dbed7e656d02c236460b181a0549115c1f
-
C:\Users\Admin\AppData\Local\Temp\Ëèñò Microsoft Excel.xlsFilesize
13KB
MD594d719398e11c54aec1c3c3ea92a9b1e
SHA15152fca344859c791abaa1a09429b6bca3b2ff69
SHA256a4102aab02b7e7b306f318fb59e335ab5592a15501a36a23952088b856a299c7
SHA512f5aae4ef64d46d35a53bcab37f1772c7caef2c339d4ecd958e676373c18d19e5aecf3dc2b0d6f3d58d19e686918a09e95ea966324da1c0e9190e4a5170d33faa
-
memory/1420-27-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-17-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-28-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-18-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-19-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-15-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-14-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-20-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-22-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-21-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-23-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-24-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-25-0x00007FF8E86A0000-0x00007FF8E86B0000-memory.dmpFilesize
64KB
-
memory/1420-26-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-68-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-16-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-29-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-30-0x00007FF8E86A0000-0x00007FF8E86B0000-memory.dmpFilesize
64KB
-
memory/1420-31-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-32-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-33-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-35-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-36-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-34-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-49-0x00007FF92AEF0000-0x00007FF92B0E5000-memory.dmpFilesize
2.0MB
-
memory/1420-65-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-64-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-66-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/1420-67-0x00007FF8EAF70000-0x00007FF8EAF80000-memory.dmpFilesize
64KB
-
memory/3028-9-0x0000000013140000-0x0000000013178000-memory.dmpFilesize
224KB