d70e4742b50d2db0b5c2e90eab0870e1560a7541a465f3a1d4e796ba1e794cc0

Analysis

max time kernel
127s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
Size

1018KB
MD5

0558490427bfa0c032a84833e99b4afc
SHA1

b4b61d3a41889b0d56830132b64e3635091f5db6
SHA256

d70e4742b50d2db0b5c2e90eab0870e1560a7541a465f3a1d4e796ba1e794cc0
SHA512

51f72654b790c4ec14a2a4a0b9cb21a79c61447555e3ad81d768956b548511c6560acd2b66519ff6bb16e653a9f053c3a421e7104f626f2296313689a2abfef4
SSDEEP

12288:U0BjVnAqXTX1LVQGPkEurwZu5x8/ks2UgUGl8DEUrgyHLEimZDPhTrAjjAtef:9nRTX1hQfJuu5x8/elO3gseZ1UjjAtef

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1772	tmppack.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2856	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
2856	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1772	2856	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	85
PID 2856 wrote to memory of 1772	2856	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	85
PID 2856 wrote to memory of 1772	2856	0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0558490427bfa0c032a84833e99b4afc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\JIBVWNUROVOXXSDIPJP\tmppack.exe
  -y
  2⤵
  - Executes dropped EXE
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\85ro3pn308\gui\MainProduct.html

Filesize
3KB

MD5
bbccaf41a1428f1a33357a10bc094edb

SHA1
612281956e1b9d895bbc078c271846f881e4c264

SHA256
50fdf1d3cd943aea15616a56391e6f388ea42be11ea3c269412af5b09ef9fbaf

SHA512
af6a25948746cfcdc0421ac1a96d2efa3fceaf9093c3931d25087d9c12258f06a410e7f7d5260d17d6dbdc00dde74df5b25cfda0260ac531a07b7a200ec41bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\85ro3pn308\gui\events\cav.xml

Filesize
981B

MD5
8a5e1aad7303d8174cf3ba5e3591624c

SHA1
5bc119db938869e24dc18f9f70a5039cefaa9b19

SHA256
a3dc8aa222cb5edb0d18f4526a0b0859647b48b4bdc52a5c9431c4ec6779f538

SHA512
3c5c491234024226e6486f7426ab941a38701e33a0d1c70012cd64080904c2ee3f4f792ed992e3e605357471bc4da30c661b843b6b2501c4bed4041c4a6bc390

Download Submit
C:\Users\Admin\AppData\Local\Temp\85ro3pn308\wizard.xml

Filesize
5KB

MD5
bf9c108fed413e71a6ff2ee6fada6969

SHA1
ee260fc6a0340a8c911f6541c951eb906fc1699d

SHA256
6ddfb3c12f505a4c1dc57324c08798ba996e15e6800408a739bc0907776a4e7b

SHA512
5552a40c349bf6202b0862a8245515a485abc7dd5064b84a9976e9072cf97dfdcff318a96a8fcd3fd0cae9da249ead4a4dce35fc995c7e9ec92a19a5b8fc7fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIBVWNUROVOXXSDIPJP\installer.pak

Filesize
1.3MB

MD5
9161de0c745a2467e8b1efa7fe828986

SHA1
85ae7bf18c3f0cc68a8489363d883594ace964ca

SHA256
fb46408ed5b0aca2c7ad9f33916f09b212c720473ec3222eadd7b66383b4bc21

SHA512
46b211ad8164ff11a4a48c5ad64478c148defe001cf9896354a0b002f9e1936ca251382a1f0ecf78e5a965557ad44716fd73c0456aae57543cb6d180e76ffd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIBVWNUROVOXXSDIPJP\tmppack.exe

Filesize
561KB

MD5
191daa51ab8e3dbe928711f001dc3adb

SHA1
84d307554c31dd13b5789109505b7394f34c7836

SHA256
a39c78f61f42f22bfb40cfe9f56239bb15d7ea6ca153a5ded61c36997a61fa45

SHA512
1b10db82956d2092bee5b0a3f954b47bbfe669193d04fb586545a8a8167d84dc1a6f8aab8bd0d1695145830c733e0fa3b2505223bd50495a65bae32b04837a51

Download Submit
memory/2856-8-0x00000000033E0000-0x0000000003529000-memory.dmp

Filesize
1.3MB

Download
memory/2856-73-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/2856-97-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download