56448363adf1a752c3850912e0686c7181bf785280085f754abca6e70506b2ae

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe
Size

72KB
MD5

fb66afa7fafa1972699a1dccc19cd883
SHA1

e35ed782c00795422799a6ab3c3bd14ae33aa4d6
SHA256

56448363adf1a752c3850912e0686c7181bf785280085f754abca6e70506b2ae
SHA512

f6c84e3c15fddf47eecb097690fcd09aafe0ff718534feabe310e0be3c64d7c9496e225f42ac41632a4bb0698e3264986f3d41ddb3116b8fab046e711b98071c
SSDEEP

1536:BlcbkxQBjOPbvD+YAO5xztwM6HBY46qax:BlikxQUPuhOzzP6HBSx

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

Steam uccount Hacker v2.0.5.exe

pid process

2764 Steam uccount Hacker v2.0.5.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

804 3540 WerFault.exe fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe

pid	process
2764	Steam uccount Hacker v2.0.5.exe

pid	pid_target	process	target process
804	3540	WerFault.exe	fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe

description	pid	process	target process
PID 3540 wrote to memory of 2764	3540	fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe	Steam uccount Hacker v2.0.5.exe
PID 3540 wrote to memory of 2764	3540	fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe	Steam uccount Hacker v2.0.5.exe

C:\Users\Admin\AppData\Local\Temp\fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\Steam uccount Hacker v2.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Steam uccount Hacker v2.0.5.exe"
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 848
2⤵
- Program crash
PID:804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540
1⤵
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Steam uccount Hacker v2.0.5.exe
Filesize
54KB

MD5
2c9596bf8b4ed065fd2ac29de5db364d

SHA1
0637578351f425e9ebd6a2e560e1106aafed7d2f

SHA256
0c0e6dda8327633c26a3be3dba4c93b8d2f23590df702ad9fc635d07e9b97401

SHA512
6846ab8d280bed0f227408f31649232a261bf9ec01176c55dc23d7600d94ed3a9ae1c55749c7cf450e658a9ba70269850303be4cba2d8e081fbe61f538cd8fe5

Download Submit
memory/2764-11-0x000000001BC30000-0x000000001BCD6000-memory.dmp

Filesize
664KB

Download
memory/2764-12-0x00007FF90C8D0000-0x00007FF90D271000-memory.dmp

Filesize
9.6MB

Download
memory/2764-14-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/2764-13-0x000000001C220000-0x000000001C6EE000-memory.dmp

Filesize
4.8MB

Download
memory/2764-15-0x00007FF90C8D0000-0x00007FF90D271000-memory.dmp

Filesize
9.6MB

Download
memory/2764-16-0x000000001C7B0000-0x000000001C84C000-memory.dmp

Filesize
624KB

Download
memory/2764-17-0x0000000001670000-0x0000000001678000-memory.dmp

Filesize
32KB

Download
memory/2764-18-0x000000001C910000-0x000000001C95C000-memory.dmp

Filesize
304KB

Download
memory/2764-19-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/2764-20-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/2764-21-0x00007FF90C8D0000-0x00007FF90D271000-memory.dmp

Filesize
9.6MB

Download
memory/2764-22-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/2764-23-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/2764-24-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download