Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe
-
Size
72KB
-
MD5
fb66afa7fafa1972699a1dccc19cd883
-
SHA1
e35ed782c00795422799a6ab3c3bd14ae33aa4d6
-
SHA256
56448363adf1a752c3850912e0686c7181bf785280085f754abca6e70506b2ae
-
SHA512
f6c84e3c15fddf47eecb097690fcd09aafe0ff718534feabe310e0be3c64d7c9496e225f42ac41632a4bb0698e3264986f3d41ddb3116b8fab046e711b98071c
-
SSDEEP
1536:BlcbkxQBjOPbvD+YAO5xztwM6HBY46qax:BlikxQUPuhOzzP6HBSx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
Steam uccount Hacker v2.0.5.exepid process 2764 Steam uccount Hacker v2.0.5.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 804 3540 WerFault.exe fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exedescription pid process target process PID 3540 wrote to memory of 2764 3540 fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe Steam uccount Hacker v2.0.5.exe PID 3540 wrote to memory of 2764 3540 fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe Steam uccount Hacker v2.0.5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb66afa7fafa1972699a1dccc19cd883_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Steam uccount Hacker v2.0.5.exe"C:\Users\Admin\AppData\Local\Temp\Steam uccount Hacker v2.0.5.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 8482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 35401⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Steam uccount Hacker v2.0.5.exeFilesize
54KB
MD52c9596bf8b4ed065fd2ac29de5db364d
SHA10637578351f425e9ebd6a2e560e1106aafed7d2f
SHA2560c0e6dda8327633c26a3be3dba4c93b8d2f23590df702ad9fc635d07e9b97401
SHA5126846ab8d280bed0f227408f31649232a261bf9ec01176c55dc23d7600d94ed3a9ae1c55749c7cf450e658a9ba70269850303be4cba2d8e081fbe61f538cd8fe5
-
memory/2764-11-0x000000001BC30000-0x000000001BCD6000-memory.dmpFilesize
664KB
-
memory/2764-12-0x00007FF90C8D0000-0x00007FF90D271000-memory.dmpFilesize
9.6MB
-
memory/2764-14-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/2764-13-0x000000001C220000-0x000000001C6EE000-memory.dmpFilesize
4.8MB
-
memory/2764-15-0x00007FF90C8D0000-0x00007FF90D271000-memory.dmpFilesize
9.6MB
-
memory/2764-16-0x000000001C7B0000-0x000000001C84C000-memory.dmpFilesize
624KB
-
memory/2764-17-0x0000000001670000-0x0000000001678000-memory.dmpFilesize
32KB
-
memory/2764-18-0x000000001C910000-0x000000001C95C000-memory.dmpFilesize
304KB
-
memory/2764-19-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/2764-20-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/2764-21-0x00007FF90C8D0000-0x00007FF90D271000-memory.dmpFilesize
9.6MB
-
memory/2764-22-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/2764-23-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB
-
memory/2764-24-0x00000000016B0000-0x00000000016C0000-memory.dmpFilesize
64KB