Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 00:19
Static task
static1
Behavioral task
behavioral1
Sample
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe
-
Size
549KB
-
MD5
f913f9abda61dee2ae208de27c924bcf
-
SHA1
20f035d85492864f05961318e315b3d05d352988
-
SHA256
adbc6429af3839f7f132b7e676323346672715bdfca5b37dcff7612d1fb0064f
-
SHA512
43437e6c03f377a4e801eda75f134c09fbb7080babda4bfcec5c973284d27696df82ed6fc1a4ed802a32ec4e664ac24eb37fd1376b51a088e402860864ba3004
-
SSDEEP
12288:2L5OITPz29ROfrH4vTRxoNoUeuP5ceWwwj5YsMZWGSvQ/6f/r4GITNVfpHG1lG:2L5OCyEklIhP5c3wSvMC
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
webmail.wetwoengg.in - Port:
25 - Username:
wetwokcm@wetwoengg.in - Password:
Wetwokcm@1959 - Email To:
wetwokcm@wetwoengg.in
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1792-16-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral2/memory/1792-21-0x0000000005940000-0x0000000005950000-memory.dmp family_snakekeylogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 freegeoip.app 49 freegeoip.app 43 checkip.dyndns.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription pid process target process PID 5060 set thread context of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 844 1792 WerFault.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exef913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exepid process 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe 1792 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exef913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe Token: SeDebugPrivilege 1792 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exedescription pid process target process PID 5060 wrote to memory of 2492 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe schtasks.exe PID 5060 wrote to memory of 2492 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe schtasks.exe PID 5060 wrote to memory of 2492 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe schtasks.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe PID 5060 wrote to memory of 1792 5060 f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bYHUEbNIzaoT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD34E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 18083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1792 -ip 17921⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f913f9abda61dee2ae208de27c924bcf_JaffaCakes118.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmpD34E.tmpFilesize
1KB
MD5d8bffd1a5d5c88e376a2b2d9e94a4296
SHA1c9a28423d221b9887349104ac41fea3af70271e5
SHA256843d3e7edeac0a98df590b2b7b48fca17f2710a13cbe41d90c5e86bbb4dc39ee
SHA512da0e2fd093a2c4f64aba3668a785690412df4dc6476a612942c3389f68cbb4514541ee0a54d2b603110139d5a67d955ddcdc83b900b09b934b639f31a6a4ce46
-
memory/1792-22-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB
-
memory/1792-21-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/1792-20-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB
-
memory/1792-16-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/5060-5-0x00000000058A0000-0x00000000058AA000-memory.dmpFilesize
40KB
-
memory/5060-6-0x0000000005990000-0x0000000005998000-memory.dmpFilesize
32KB
-
memory/5060-8-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB
-
memory/5060-9-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/5060-10-0x0000000008310000-0x0000000008384000-memory.dmpFilesize
464KB
-
memory/5060-11-0x0000000006C90000-0x0000000006CBA000-memory.dmpFilesize
168KB
-
memory/5060-12-0x0000000008250000-0x00000000082B6000-memory.dmpFilesize
408KB
-
memory/5060-7-0x0000000006980000-0x0000000006A1C000-memory.dmpFilesize
624KB
-
memory/5060-0-0x0000000000CC0000-0x0000000000D50000-memory.dmpFilesize
576KB
-
memory/5060-4-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/5060-19-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB
-
memory/5060-3-0x00000000056E0000-0x0000000005772000-memory.dmpFilesize
584KB
-
memory/5060-2-0x0000000005BD0000-0x0000000006174000-memory.dmpFilesize
5.6MB
-
memory/5060-1-0x0000000074D50000-0x0000000075500000-memory.dmpFilesize
7.7MB