Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 10:23

General

  • Target

    04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe

  • Size

    403KB

  • MD5

    04f9ef26b34ec6b27f96fb86f604d5f5

  • SHA1

    d52f862ac4b61833800c29a4b9c5ab45c158864b

  • SHA256

    b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf

  • SHA512

    b10b992b3e6336b6a9ce20ac8046ddc63ea8f3ecdf448915171b2233a884125dc3415ca873437c5eec8b0dd247258069f8869030f04fe552590e34690faf618f

  • SSDEEP

    6144:46PVn1IxOksTZAQ7vOQFAq+vdA34F53W3iUKaah:4Grkin79AqydA65BUKaa

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES619.tmp" "c:\Users\Admin\AppData\Local\Temp\ml5omzl4\CSCFAFA71BD88F24CB6B47AFD25852D47A7.TMP"
        3⤵
          PID:2476
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2672

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Credential Access

    Unsecured Credentials

    4
    T1552

    Credentials In Files

    3
    T1552.001

    Credentials in Registry

    1
    T1552.002

    Collection

    Data from Local System

    4
    T1005

    Email Collection

    1
    T1114

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES619.tmp
      Filesize

      1KB

      MD5

      564d3175c90fd3e8bccc288e4652b8fb

      SHA1

      bac52c16374b7a47df9addf3bc729915207d6d82

      SHA256

      1fe3d0fd5cc7f2bf6167b1a835840e204de0723750b6a61f34013db8f2c81715

      SHA512

      b70805353305cc476432d5470c00052369efe8398c7c14725a55ae6e2b56f39a8be2a844e043c019df7c0e0d8c99bacd7ffbb371fe0fb96e6eb807b81f93eadd

    • C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.dll
      Filesize

      8KB

      MD5

      66b7cb0564c58d4ac66aac8c2a9e7477

      SHA1

      603d3e7d96fefce58a32477bde1db36bd10d4f53

      SHA256

      d1d7e19f06ae54b1675fb2004c00df84bbbdcdeec7356da3bb7a96082894c49d

      SHA512

      f7629218cd6c3c6b9874b79bc1a3d85d33c4e9592cecd77190daf3f2b1c4842193409eec7262f8e5f02f8d7379a22ef12807dbadce2304fc0a192e56998d8b1c

    • C:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.pdb
      Filesize

      21KB

      MD5

      28a150d41d0d5cc7761cac40e55a7a33

      SHA1

      50c054c0d21d3337affb987e9afb49b0a248e48c

      SHA256

      74ee2cd42714859a23a56e1420279a39b1479d534d0a1bda97ab409ce3f2b30d

      SHA512

      7d4d2724b1d73a355a3020d283fa8049e78b41c45e12efcebe11aebfb7c9e1be5372884aea07c5c95c83066265040a9bd825c1fe8e6ead19f03cab6d8d5ad48c

    • \??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\CSCFAFA71BD88F24CB6B47AFD25852D47A7.TMP
      Filesize

      1KB

      MD5

      d0e3df5cdf9b9b515cb96b2c2374ee2a

      SHA1

      c412db9c9877ef2da3025d773badb5edd47949af

      SHA256

      3be86dd8d205cf5b7e7b9f41f120d820f01147a091515f703f07133f67ad3ded

      SHA512

      3ae8279c865a28aeb231cf8686e75bfc7e5b7c3f7da55da2a5b0a33c13822d81918590f6d0f73b3ebc3c8c04d79ffe5fe296b17809f7e65ad2ed2bfc6e888ed0

    • \??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.0.cs
      Filesize

      9KB

      MD5

      cec8f2e3a2c387a64a1a649aa907b99b

      SHA1

      76ca40cdd600e069e48a041bd2748ba2a5a953c0

      SHA256

      7d1f5fb153bff32f51816ebe73fe497ac137e57376984b2c14155ad65d21cb4f

      SHA512

      2ad91ef2149022d8d6ab777a22f2e30b0b36f2cb4e0c58c43ed019399999cf7544f037688550f5fbd331c3bbde8e0f5a09cdffbe6e6a8302afdf936f16c4ddcc

    • \??\c:\Users\Admin\AppData\Local\Temp\ml5omzl4\ml5omzl4.cmdline
      Filesize

      312B

      MD5

      569f2673e84a153bbf67001078c73e67

      SHA1

      cfd0e5320264a1403bdc35faf4e23a3d07af7ff6

      SHA256

      3854b1195c61f32f466fbc1b4282092cd3fd0aec083d71f3cee3c9af34325f5d

      SHA512

      1ec81e9f5596143e51085624a76cb6babcb5a744e29e9f856229b31254699ba6883e8d16d44d2a739d7552f4cfd21510e58d0d45633a79bafa5cd2ec15aec334

    • memory/2288-24-0x0000000000DF0000-0x0000000000E26000-memory.dmp
      Filesize

      216KB

    • memory/2288-1-0x0000000073FB0000-0x000000007469E000-memory.dmp
      Filesize

      6.9MB

    • memory/2288-38-0x0000000073FB0000-0x000000007469E000-memory.dmp
      Filesize

      6.9MB

    • memory/2288-2-0x00000000005C0000-0x0000000000600000-memory.dmp
      Filesize

      256KB

    • memory/2288-0-0x0000000001040000-0x00000000010AA000-memory.dmp
      Filesize

      424KB

    • memory/2288-20-0x0000000000C90000-0x0000000000CD0000-memory.dmp
      Filesize

      256KB

    • memory/2288-21-0x0000000000490000-0x000000000049C000-memory.dmp
      Filesize

      48KB

    • memory/2288-3-0x0000000000390000-0x0000000000398000-memory.dmp
      Filesize

      32KB

    • memory/2288-18-0x0000000000420000-0x0000000000428000-memory.dmp
      Filesize

      32KB

    • memory/2672-30-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-33-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-29-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-27-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-25-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-37-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-35-0x0000000000400000-0x0000000000436000-memory.dmp
      Filesize

      216KB

    • memory/2672-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB