Analysis
-
max time kernel
120s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 07:00
Behavioral task
behavioral1
Sample
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
f9c26994bcc0cde13e83161e590e8553
-
SHA1
88a3353c711e5218982f29793ee9f3e7b8f55139
-
SHA256
5a7e4c6cb88430f5f8bc4f0b44df747163bf73f4e930b4cbf75957542e11dcc4
-
SHA512
f6ba47854dd2739a3b902d7aa3d70ea822324e08c44c3b109798c1e53ae6f5b5e4b0784e2058417f3621dfee8c58f70d10fc65967882242505337ce85584dfb5
-
SSDEEP
12288:gkDkLWLDJM5vd4vInh4sYbGc0Sv1lxKvwdoO7ifh/WM6EF4:OLWxKQbX0Sv1Tndx0/d
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2128-0-0x0000000000360000-0x0000000000494000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 freegeoip.app 24 ip-api.com 27 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exepid Process 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exedescription pid Process procid_target PID 2128 wrote to memory of 1032 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 93 PID 2128 wrote to memory of 1032 2128 f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9c26994bcc0cde13e83161e590e8553_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"2⤵PID:1032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5834e0fd6fe45252795b31467cf2a4255
SHA1f7ba8a9d4195be3e3ff13231dc0d99b76c5a7380
SHA25659e6025ad3ab5b49a79f76dee59277735c31f9cca32bec5d57f85cde9b876b23
SHA5121db02bebc1d50e29503a1f394ae260f238e2c4d12ed4e9579dbe03d707db7a023e21259be91ba07faee021f02e746035316a2a8722698fa48de844aa456d8546
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
2KB
MD59d97ebfc20595fc0f2cfc2ad7123f774
SHA18c8b4fd08548c60ee321070114340009bff57022
SHA256a2a35f3ec3bf72e66ff5ec5a10afe9d2bf0d2237b2d2b84780b4784f3df33ee8
SHA5129a924de83098f15b14dd3f0867820c19b8d17a146a5d0185a9d6ba8d7036d47ff28a841269ebc764bbd7ca7c9d9d79ce6c023e22ef9a8711b8382e0042cc40fa
-
Filesize
2KB
MD5b2cfb7f2bb2c27a5be136347d6eabecf
SHA1ffb6bb0fdbf44dc22312a7107f82b890572b0782
SHA256eefa54163217469488342c083027ec0216ad059faea97bf68cb2e16f07fe04b4
SHA512f2b65baf2baa2ec41ba3ee0913fe90f911cb1d41d7a406bcc6773aa45a72b05524a3170dc8204e2da842cccf5804bbb853703f2779282e23ee29d09075bf16d4
-
Filesize
1KB
MD5cf5c6ab75439e4274a79753f28370deb
SHA1808e7d7ca9114fc1700f3f6a179b18d61f1133d4
SHA25636233cfdbdd25ec0634e0a569a4e3e492d2416e50dfb9ab7d15a54023416065a
SHA512119d02bddf6ec39a2f4fa7dd9708131e3639dad5595fe0a0a9505c574711cf9faf8d8cb8045180c0b2f5ac146242a634e909e53e1cc27e2bdc59a35f88e44aa4