Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
06332c76bab3c4b5b15158f41f92b3b8
-
SHA1
8d837c4126ee98e94c5664d4f17bfe69389da8a5
-
SHA256
85f7a009f0f9e0d9bf057edc24bf584eb08349cec1818588d3a61106dbd2ab99
-
SHA512
846451df9130c85168e4e0d057a92b74bd025e77536734ce828d1a3ee6d68b3f488ea2c318eccb32a917d47b5157d155e229ea8a238bf495017a59f545614a0f
-
SSDEEP
49152:Pmxak0hQbAzDlk5G/xYmBvclEJZPIZwjnHTow5OiW8CtQw8j+DdT9jOotbgJSr3n:+k5GbA9hv8EJdboH3mml6iqN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
ba21e.exeba21e.exepid process 4544 ba21e.exe 3848 ba21e.exe -
Loads dropped DLL 3 IoCs
Processes:
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exeba21e.exeba21e.exepid process 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 4544 ba21e.exe 3848 ba21e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
Processes:
ba21e.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ba21e.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ba21e.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ba21e.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ba21e.exe -
Drops file in Program Files directory 4 IoCs
Processes:
ba21e.exe06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\SmartData\cd.dll ba21e.exe File created C:\Program Files (x86)\SmartData\performer.exe ba21e.exe File opened for modification C:\Program Files (x86)\SmartData\performer.exe ba21e.exe File created C:\Program Files (x86)\SmartData\ba21e.exe 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
ba21e.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ba21e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ba21e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ba21e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ba21e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ba21e.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ba21e.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ba21e.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ba21e.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exeba21e.exepid process 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe 3848 ba21e.exe 3848 ba21e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ba21e.exedescription pid process Token: SeTcbPrivilege 3848 ba21e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.execmd.exedescription pid process target process PID 2400 wrote to memory of 712 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe cmd.exe PID 2400 wrote to memory of 712 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe cmd.exe PID 2400 wrote to memory of 712 2400 06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe cmd.exe PID 712 wrote to memory of 4252 712 cmd.exe choice.exe PID 712 wrote to memory of 4252 712 cmd.exe choice.exe PID 712 wrote to memory of 4252 712 cmd.exe choice.exe PID 712 wrote to memory of 4544 712 cmd.exe ba21e.exe PID 712 wrote to memory of 4544 712 cmd.exe ba21e.exe PID 712 wrote to memory of 4544 712 cmd.exe ba21e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06332c76bab3c4b5b15158f41f92b3b8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /S /C choice /C Y /N /D Y /T 3 & "C:\Program Files (x86)\SmartData\ba21e.exe" /start2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Program Files (x86)\SmartData\ba21e.exe"C:\Program Files (x86)\SmartData\ba21e.exe" /start3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\SmartData\ba21e.exe"C:\Program Files (x86)\SmartData\ba21e.exe" /srv1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SmartData\ba21e.exeFilesize
2.6MB
MD506332c76bab3c4b5b15158f41f92b3b8
SHA18d837c4126ee98e94c5664d4f17bfe69389da8a5
SHA25685f7a009f0f9e0d9bf057edc24bf584eb08349cec1818588d3a61106dbd2ab99
SHA512846451df9130c85168e4e0d057a92b74bd025e77536734ce828d1a3ee6d68b3f488ea2c318eccb32a917d47b5157d155e229ea8a238bf495017a59f545614a0f
-
C:\Users\Admin\AppData\Local\Temp\cd.dllFilesize
692KB
MD58b9e960ba4971deedbc8f141ea20e58c
SHA1194307d3493b723dde50ee65a069bf702353b3dd
SHA256fb637cf304db7a39a7474cf222789fc9560a69334ec1871accfb476790975e4e
SHA5129b2fafffb40db5fdef41fe77c3b9424ae8d54c2258a526b7abd013d4058388a41397ceb7d5621e60991771908385b6b9228a31a7369c60a17e48e234685e4ada