15b16b91099406788937c675b15f2e81f3f9df40b0756552fa19c0cb24d3a621

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 14:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
Size

1.6MB
MD5

07d859dfbc355b509a8b7fa8d3d89a51
SHA1

ccad3a91e562cdb3b97d8f939ca7914231210d96
SHA256

15b16b91099406788937c675b15f2e81f3f9df40b0756552fa19c0cb24d3a621
SHA512

a362ffad97b449f4356c3f3f5fa91d8f8cf9f2ac8ae2f41f9b3fa95275af1c945b22d14b907862ffa7b437b9f005c4f0296913fd67688ace203335dc48874b1e
SSDEEP

49152:B4iUJg/bzdpAI7QeZ6688/ykGl4y8u7CUxW:BpUJWbp+IdQ3VPmyrBw

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe\IsHostApp	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
2944	07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07d859dfbc355b509a8b7fa8d3d89a51_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\UAC.dll

Filesize
13KB

MD5
a88baad3461d2e9928a15753b1d93fd7

SHA1
bb826e35264968bbc3b981d8430ac55df1e6d4a6

SHA256
c5ab2926c268257122d0342739e73573d7eeda34c861bc7a68a02cbc69bd41af

SHA512
5edcf46680716930da7fd1a41b8b0426f057cf4becefb3ee84798ec8b449726afb822fb626c4942036a1ae3bb937184d1f71d0e45075abb5bf167f5d833df43a

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\apphelp.dll

Filesize
1.8MB

MD5
3951fb5de2e2d4329100a9687091f5b7

SHA1
4f7ceda872f7be5926509df521afee159c9135b4

SHA256
a098a5db545f2429a2c8caaed482afe553720cafe785da57fdd6d46479047ea7

SHA512
7d3ea57c8c1986036a5ace35eb5076f7c96c796f447e39a7ae3040e71eb0596df56dcf0376bd4fd51360b750f0c38c962970584979bd01794b642e483d5020b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\soffer.dll

Filesize
194KB

MD5
cff6a9dc992dcc7c9c3a3cf6e64d4df0

SHA1
e7f7847c2d2ff0781d27e029f209c4c2bd8e355f

SHA256
149279f79ad29d68c444111b7a1120e5053ad41444c5ebb6281f46257c050efd

SHA512
176e6ca3d2f907026da35c35d11f586225a0c388acbca474c9dbcf43913bd068e691302084b1c695e7e9678d57033162f51aa67fa2220941f1b0c288019888da

Download Submit
memory/2944-38-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2944-53-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download