Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 10:23
Static task
static1
Behavioral task
behavioral1
Sample
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe
-
Size
403KB
-
MD5
04f9ef26b34ec6b27f96fb86f604d5f5
-
SHA1
d52f862ac4b61833800c29a4b9c5ab45c158864b
-
SHA256
b6c5f7effcf88f4732d3761f46ac3c1b087f8feb1651ba26a5cd446f7f88dddf
-
SHA512
b10b992b3e6336b6a9ce20ac8046ddc63ea8f3ecdf448915171b2233a884125dc3415ca873437c5eec8b0dd247258069f8869030f04fe552590e34690faf618f
-
SSDEEP
6144:46PVn1IxOksTZAQ7vOQFAq+vdA34F53W3iUKaah:4Grkin79AqydA65BUKaa
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exedescription pid process target process PID 2616 set thread context of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exepid process 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe 4912 RegAsm.exe 4912 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe Token: SeDebugPrivilege 4912 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.execsc.exedescription pid process target process PID 2616 wrote to memory of 872 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 2616 wrote to memory of 872 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 2616 wrote to memory of 872 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe csc.exe PID 872 wrote to memory of 3868 872 csc.exe cvtres.exe PID 872 wrote to memory of 3868 872 csc.exe cvtres.exe PID 872 wrote to memory of 3868 872 csc.exe cvtres.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe PID 2616 wrote to memory of 4912 2616 04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04f9ef26b34ec6b27f96fb86f604d5f5_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3652.tmp" "c:\Users\Admin\AppData\Local\Temp\ftr3icgp\CSCC390DE038C50469E915260ABEE8F974B.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES3652.tmpFilesize
1KB
MD5a77041d51a1e7f8f68aa247d529dbe12
SHA127187c45f32ad343cf7b0d3e6e72172974de1d40
SHA256c6ca6104177953d010db18ca062e97ca7ea8650c77fb1216d76d4e6811839bf8
SHA5124ea36e988949049d9a67046b7fde76db7e11ed91c34aae7b043163c58572045c3799bbbc227c8236c3aa42f7cb960e0576b7f8ef4d07da2ae4708ef0e6ab0d92
-
C:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.dllFilesize
8KB
MD5a27fac3f75ad8ab89d68d26bfc72e9b1
SHA190f03572df787164cd0d9bba0409ffda46efbdae
SHA2560b8ef8818f0e90e9a3eb59fa501dea164d38e35bdeaa17a89939d6d0f9b2ac25
SHA51200cafbd0d67854e385bdb24a8c2595ae8a79f8c93d534ff7527279c9616cb3ccc6beffa0e5d9babf588d22370b7764829754d716bc908fa0e34dba18d1ed36c8
-
C:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.pdbFilesize
21KB
MD518ffeced335d4ac03b1591ccd50e36ff
SHA129da6250e6a1670fd7dd1883d4c0714387557654
SHA2563cf35b3a97e026a9323fca3c7b720298a40e2b6e9baf4dfd8ca3e80a5ce06e89
SHA5120ad836baa8f7f8392c2db9771953e319f8d9d7126d4ec1eba0d908bb76a467262af6f56513c3084ab002e5f6868f3655cec421050be629644876f8e66aedc13e
-
\??\c:\Users\Admin\AppData\Local\Temp\ftr3icgp\CSCC390DE038C50469E915260ABEE8F974B.TMPFilesize
1KB
MD5e8bc383c02f594b0fa57b87c7ed98370
SHA16e829b63d39bbceb4be8927861df91a4597e772f
SHA256a9937ebec420e00f362467c96bb9950636692864972bd3fe86e83bb8ea773f56
SHA5125d1a5388357e4f9414365ee08cb8f9d3050335242beab726b42465abc1e571161ff2598d45ac4f3799e120adf847021b7311c8f358981964180d9b39ab28385f
-
\??\c:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.0.csFilesize
9KB
MD5cec8f2e3a2c387a64a1a649aa907b99b
SHA176ca40cdd600e069e48a041bd2748ba2a5a953c0
SHA2567d1f5fb153bff32f51816ebe73fe497ac137e57376984b2c14155ad65d21cb4f
SHA5122ad91ef2149022d8d6ab777a22f2e30b0b36f2cb4e0c58c43ed019399999cf7544f037688550f5fbd331c3bbde8e0f5a09cdffbe6e6a8302afdf936f16c4ddcc
-
\??\c:\Users\Admin\AppData\Local\Temp\ftr3icgp\ftr3icgp.cmdlineFilesize
312B
MD5b82f5596353d57f4602cc84cea590505
SHA1c597ec2cc0be66c6e4095a2256639e08cb373d57
SHA2563cc27f804e4e14d40ae3db4b8d055f533f430d0814fcb0a57afea6ec68987c3f
SHA512825135e06aeca93cdfdbdf0f7521636a0be0356cc193af5c56f6b2782f042979785495593939ef4569645029556cdea2d750ceccea893afad70561abdd777bac
-
memory/2616-21-0x0000000005110000-0x0000000005150000-memory.dmpFilesize
256KB
-
memory/2616-26-0x00000000056B0000-0x000000000574C000-memory.dmpFilesize
624KB
-
memory/2616-3-0x00000000051A0000-0x00000000051B0000-memory.dmpFilesize
64KB
-
memory/2616-19-0x0000000005050000-0x0000000005058000-memory.dmpFilesize
32KB
-
memory/2616-2-0x0000000004F90000-0x0000000005022000-memory.dmpFilesize
584KB
-
memory/2616-1-0x0000000074B90000-0x0000000075340000-memory.dmpFilesize
7.7MB
-
memory/2616-0-0x00000000005D0000-0x000000000063A000-memory.dmpFilesize
424KB
-
memory/2616-22-0x00000000050F0000-0x00000000050FC000-memory.dmpFilesize
48KB
-
memory/2616-25-0x0000000005160000-0x0000000005196000-memory.dmpFilesize
216KB
-
memory/2616-4-0x0000000004F80000-0x0000000004F88000-memory.dmpFilesize
32KB
-
memory/2616-29-0x0000000074B90000-0x0000000075340000-memory.dmpFilesize
7.7MB
-
memory/4912-27-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4912-30-0x0000000071020000-0x00000000715D1000-memory.dmpFilesize
5.7MB
-
memory/4912-31-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/4912-32-0x0000000071020000-0x00000000715D1000-memory.dmpFilesize
5.7MB
-
memory/4912-33-0x0000000071020000-0x00000000715D1000-memory.dmpFilesize
5.7MB
-
memory/4912-34-0x00000000012C0000-0x00000000012D0000-memory.dmpFilesize
64KB
-
memory/4912-35-0x0000000071020000-0x00000000715D1000-memory.dmpFilesize
5.7MB