Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
-
Size
403KB
-
MD5
04f9ef26b34ec6b27f96fb86f604d5f5
-
SHA1
d52f862ac4b61833800c29a4b9c5ab45c158864b
-
SHA256
b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf
-
SHA512
b10b992b3e6336b6a9ce20ac8046ddc63ea8f3ecdf448915171b2233a884125dc3415ca873437c5eec8b0dd247258069f8869030f04fe552590e34690faf618f
-
SSDEEP
6144:46PVn1IxOksTZAQ7vOQFAq+vdA34F53W3iUKaah:4Grkin79AqydA65BUKaa
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exedescription pid process target process PID 2288 set thread context of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exepid process 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe 2672 RegAsm.exe 2672 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe Token: SeDebugPrivilege 2672 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.execsc.exedescription pid process target process PID 2288 wrote to memory of 2828 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 2288 wrote to memory of 2828 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 2288 wrote to memory of 2828 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 2288 wrote to memory of 2828 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 2828 wrote to memory of 2476 2828 csc.exe cvtres.exe PID 2828 wrote to memory of 2476 2828 csc.exe cvtres.exe PID 2828 wrote to memory of 2476 2828 csc.exe cvtres.exe PID 2828 wrote to memory of 2476 2828 csc.exe cvtres.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2288 wrote to memory of 2672 2288 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES619.tmp" "c:\Users\Admin\AppData\Local\Temp\ml5omzl4\CSCFAFA71BD88F24CB6B47AFD25852D47A7.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES619.tmpFilesize
1KB
MD5564d3175c90fd3e8bccc288e4652b8fb
SHA1bac52c16374b7a47df9addf3bc729915207d6d82
SHA2561fe3d0fd5cc7f2bf6167b1a835840e204de0723750b6a61f34013db8f2c81715
SHA512b70805353305cc476432d5470c00052369efe8398c7c14725a55ae6e2b56f39a8be2a844e043c019df7c0e0d8c99bacd7ffbb371fe0fb96e6eb807b81f93eadd
-
C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.dllFilesize
8KB
MD566b7cb0564c58d4ac66aac8c2a9e7477
SHA1603d3e7d96fefce58a32477bde1db36bd10d4f53
SHA256d1d7e19f06ae54b1675fb2004c00df84bbbdcdeec7356da3bb7a96082894c49d
SHA512f7629218cd6c3c6b9874b79bc1a3d85d33c4e9592cecd77190daf3f2b1c4842193409eec7262f8e5f02f8d7379a22ef12807dbadce2304fc0a192e56998d8b1c
-
C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.pdbFilesize
21KB
MD528a150d41d0d5cc7761cac40e55a7a33
SHA150c054c0d21d3337affb987e9afb49b0a248e48c
SHA25674ee2cd42714859a23a56e1420279a39b1479d534d0a1bda97ab409ce3f2b30d
SHA5127d4d2724b1d73a355a3020d283fa8049e78b41c45e12efcebe11aebfb7c9e1be5372884aea07c5c95c83066265040a9bd825c1fe8e6ead19f03cab6d8d5ad48c
-
\??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\CSCFAFA71BD88F24CB6B47AFD25852D47A7.TMPFilesize
1KB
MD5d0e3df5cdf9b9b515cb96b2c2374ee2a
SHA1c412db9c9877ef2da3025d773badb5edd47949af
SHA2563be86dd8d205cf5b7e7b9f41f120d820f01147a091515f703f07133f67ad3ded
SHA5123ae8279c865a28aeb231cf8686e75bfc7e5b7c3f7da55da2a5b0a33c13822d81918590f6d0f73b3ebc3c8c04d79ffe5fe296b17809f7e65ad2ed2bfc6e888ed0
-
\??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.0.csFilesize
9KB
MD5cec8f2e3a2c387a64a1a649aa907b99b
SHA176ca40cdd600e069e48a041bd2748ba2a5a953c0
SHA2567d1f5fb153bff32f51816ebe73fe497ac137e57376984b2c14155ad65d21cb4f
SHA5122ad91ef2149022d8d6ab777a22f2e30b0b36f2cb4e0c58c43ed019399999cf7544f037688550f5fbd331c3bbde8e0f5a09cdffbe6e6a8302afdf936f16c4ddcc
-
\??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.cmdlineFilesize
312B
MD5569f2673e84a153bbf67001078c73e67
SHA1cfd0e5320264a1403bdc35faf4e23a3d07af7ff6
SHA2563854b1195c61f32f466fbc1b4282092cd3fd0aec083d71f3cee3c9af34325f5d
SHA5121ec81e9f5596143e51085624a76cb6babcb5a744e29e9f856229b31254699ba6883e8d16d44d2a739d7552f4cfd21510e58d0d45633a79bafa5cd2ec15aec334
-
memory/2288-24-0x0000000000DF0000-0x0000000000E26000-memory.dmpFilesize
216KB
-
memory/2288-1-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2288-38-0x0000000073FB0000-0x000000007469E000-memory.dmpFilesize
6.9MB
-
memory/2288-2-0x00000000005C0000-0x0000000000600000-memory.dmpFilesize
256KB
-
memory/2288-0-0x0000000001040000-0x00000000010AA000-memory.dmpFilesize
424KB
-
memory/2288-20-0x0000000000C90000-0x0000000000CD0000-memory.dmpFilesize
256KB
-
memory/2288-21-0x0000000000490000-0x000000000049C000-memory.dmpFilesize
48KB
-
memory/2288-3-0x0000000000390000-0x0000000000398000-memory.dmpFilesize
32KB
-
memory/2288-18-0x0000000000420000-0x0000000000428000-memory.dmpFilesize
32KB
-
memory/2672-30-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-33-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-29-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-27-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-25-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-37-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-35-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/2672-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB