478d8b6fdf4b0251236abb1bd45a15a571f1a9ba49bb889b9fda797857472610

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe
Size

443KB
MD5

fb69830582c27350b197512f8e1c837b
SHA1

f6e777d3825f628614f5828ee25b4179ec4d30fc
SHA256

478d8b6fdf4b0251236abb1bd45a15a571f1a9ba49bb889b9fda797857472610
SHA512

605656801472a5903b4402158bb011931b59c18b4bf4f86101107119cfb38c699b246afb529134cd6c41bbc5ae14798479d30cfca0d62ad45a8e597ad1b35e3c
SSDEEP

12288:B5hV2xRb/onabLDVBJf7XIY1A3wBhvBJ/+2I:B5hV2P7onabLDVBJTXf1vBhvn/+2I

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2712	Logo1_.exe
2520	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe
1104	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
2716	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe
2712	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2716	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2716	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2716	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2716	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	28
PID 2260 wrote to memory of 2712	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2712	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2712	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2712	2260	fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe	29
PID 2712 wrote to memory of 1104	2712	Logo1_.exe	20
PID 2712 wrote to memory of 1104	2712	Logo1_.exe	20
PID 2716 wrote to memory of 2520	2716	cmd.exe	31
PID 2716 wrote to memory of 2520	2716	cmd.exe	31
PID 2716 wrote to memory of 2520	2716	cmd.exe	31
PID 2716 wrote to memory of 2520	2716	cmd.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1104
- C:\Users\Admin\AppData\Local\Temp\fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCEC.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2520
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$aCEC.bat

Filesize
613B

MD5
70957a21a15f451fa24d9c38229c7946

SHA1
aa0cd4e7aab05632697255937b0763ee98b15084

SHA256
0386b769397b2925a96cecd7ef06a7df65913356a3b610cd5642d4643e9291c6

SHA512
c4cb8b0066fd8bfd4aae6465d1851a5c8e6cf53b9c0d4b301833719c49f9862c9188d247744fdf94098f7df5daa22ed40f3650ac46b67f90e32cef1759897c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb69830582c27350b197512f8e1c837b_JaffaCakes118.exe.exe

Filesize
384KB

MD5
bfe09ffef16757712456efee7670fa6c

SHA1
cafa58add8ad408eddce7bdb2a5ed2b08c33a6c2

SHA256
f4682f583a501a3b46af918452f298f0464838eced8a9429aaa52d5c899fe9ef

SHA512
b77d554242dc3a9305432749619ddbb292e3bf5d9def2d7326c087a8ee02db9b6aa0966dc8dcbc912040b81daa04f0e0f014b1c9f3bbd7a94b0203f5d2afe073

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
a9c88df79daf36bb05afcde1020dd126

SHA1
554d2e64d3d97857b8f3a877a816406c8447f2ca

SHA256
026093facef8e0015475e0e5152fc997cf832676baa0f963d46d15d2903f4b6a

SHA512
8217b7585e686f6c68f43a3a5ff36d7fdcde6fb0a86c649f7100af9d94672a827279ce84aef784c9987cd7e0cbd925a73b84c98ec5372c9669e7cf20647dda55

Download Submit
memory/1104-18-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2260-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2712-241-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download