Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe
-
Size
687KB
-
MD5
055a88a1ae56f111a4bd07947a270843
-
SHA1
90cdfe475e35b2c4fc9be6be0f61754de8e6fdab
-
SHA256
e881ab8d937c1feb3b944f1cf4d31c77d92f3f08218b244372ae3bbe6a677ce0
-
SHA512
d0f9a22135f06b9448f4ac477f3864050fdae396a31d159e5fce5bbbf685c935b634e896fc8d2ef47b9cbf3bf3068886998002b3c40ae9ea2bc133455121b974
-
SSDEEP
12288:vkudPorJGE5wJGE5xHhSQwoHNc+dAibMQ:EJNyJNHHhnw0Nc+dAibMQ
Malware Config
Signatures
-
Drops startup file 3 IoCs
Processes:
cmd.exeapp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe -
Executes dropped EXE 2 IoCs
Processes:
app.exeapp.exepid process 2572 app.exe 1840 app.exe -
Loads dropped DLL 1 IoCs
Processes:
app.exepid process 2572 app.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 2572 set thread context of 1840 2572 app.exe app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
app.exepid process 1840 app.exe 1840 app.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exeapp.exeapp.exedescription pid process Token: SeDebugPrivilege 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe Token: SeDebugPrivilege 2572 app.exe Token: SeDebugPrivilege 1840 app.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
app.exepid process 1840 app.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exeexplorer.exeapp.exedescription pid process target process PID 2000 wrote to memory of 2608 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe cmd.exe PID 2000 wrote to memory of 2608 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe cmd.exe PID 2000 wrote to memory of 2608 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe cmd.exe PID 2000 wrote to memory of 2608 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe cmd.exe PID 2000 wrote to memory of 2516 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe explorer.exe PID 2000 wrote to memory of 2516 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe explorer.exe PID 2000 wrote to memory of 2516 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe explorer.exe PID 2000 wrote to memory of 2516 2000 055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe explorer.exe PID 2592 wrote to memory of 2572 2592 explorer.exe app.exe PID 2592 wrote to memory of 2572 2592 explorer.exe app.exe PID 2592 wrote to memory of 2572 2592 explorer.exe app.exe PID 2592 wrote to memory of 2572 2592 explorer.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe PID 2572 wrote to memory of 1840 2572 app.exe app.exe -
outlook_office_path 1 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe -
outlook_win_path 1 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\055a88a1ae56f111a4bd07947a270843_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exeFilesize
687KB
MD5055a88a1ae56f111a4bd07947a270843
SHA190cdfe475e35b2c4fc9be6be0f61754de8e6fdab
SHA256e881ab8d937c1feb3b944f1cf4d31c77d92f3f08218b244372ae3bbe6a677ce0
SHA512d0f9a22135f06b9448f4ac477f3864050fdae396a31d159e5fce5bbbf685c935b634e896fc8d2ef47b9cbf3bf3068886998002b3c40ae9ea2bc133455121b974
-
memory/1840-19-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1840-36-0x00000000002C0000-0x00000000002CA000-memory.dmpFilesize
40KB
-
memory/1840-32-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1840-34-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1840-35-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1840-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1840-28-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1840-25-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1840-23-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2000-7-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/2000-11-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/2000-10-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/2000-0-0x0000000000260000-0x0000000000314000-memory.dmpFilesize
720KB
-
memory/2000-5-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/2000-3-0x00000000070E0000-0x0000000007120000-memory.dmpFilesize
256KB
-
memory/2000-2-0x00000000003B0000-0x00000000003CA000-memory.dmpFilesize
104KB
-
memory/2000-1-0x0000000074390000-0x0000000074A7E000-memory.dmpFilesize
6.9MB
-
memory/2572-21-0x0000000000550000-0x0000000000650000-memory.dmpFilesize
1024KB
-
memory/2572-14-0x00000000002F0000-0x00000000003A4000-memory.dmpFilesize
720KB
-
memory/2572-24-0x0000000000550000-0x0000000000650000-memory.dmpFilesize
1024KB
-
memory/2572-27-0x0000000000550000-0x0000000000650000-memory.dmpFilesize
1024KB
-
memory/2572-30-0x0000000000550000-0x0000000000650000-memory.dmpFilesize
1024KB