Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 20:55
Static task
static1
Behavioral task
behavioral1
Sample
060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe
-
Size
567KB
-
MD5
060d2f52d06e9a813d697e4bf55e717d
-
SHA1
6b3655fb05561fa3da1de03ea07d39bf71649054
-
SHA256
5cc2c00b7fd15516238a0289a6a872db9da7f5f27253d0148739c16847e15f01
-
SHA512
1cb1751279fe66c7946a7768f04be5893c825b6d61aebd0a5f43230ef19c078f262a5f13fd93f68a37846eae10a14c042df098f0f385a1a079ef096d4fc25423
-
SSDEEP
12288:1b9W3CBwSdIC2EzJwoxZwXbFtGGhGssnfbr9sG2E7xKT62T9mvTjfLT:qCUCbz9ZaPG5znfoENKOFTDX
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exedescription pid process target process PID 2012 wrote to memory of 2512 2012 060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe cmd.exe PID 2012 wrote to memory of 2512 2012 060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe cmd.exe PID 2012 wrote to memory of 2512 2012 060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe cmd.exe PID 2012 wrote to memory of 2512 2012 060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\060d2f52d06e9a813d697e4bf55e717d_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\206.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\206.batFilesize
175B
MD5be500df127a4770c4fa7a695cd41529a
SHA1c234dd11e0d4ebd73a6d4f028001d62d69cc2824
SHA256aae8cae540c59ae97490d58e230a406f992db3497df4477f22090abe0883658b
SHA5121aec99e5620e8ccd25786ee11ae4d1c783d5442f229929bb46e3018d581c637b823e6e917ac105fe7bb78901e24423f4bc56d36866e010f8ea611c0240a884fc
-
C:\Users\Admin\AppData\Local\Temp\63615.exeFilesize
567KB
MD5060d2f52d06e9a813d697e4bf55e717d
SHA16b3655fb05561fa3da1de03ea07d39bf71649054
SHA2565cc2c00b7fd15516238a0289a6a872db9da7f5f27253d0148739c16847e15f01
SHA5121cb1751279fe66c7946a7768f04be5893c825b6d61aebd0a5f43230ef19c078f262a5f13fd93f68a37846eae10a14c042df098f0f385a1a079ef096d4fc25423
-
memory/2012-0-0x0000000010000000-0x000000001012E000-memory.dmpFilesize
1.2MB