Overview

overview

9

Static

static

3

0a31f5fc65...18.exe

windows7-x64

9

0a31f5fc65...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    0a31f5fc650f2b93a36a1c095714b78a

  • SHA1

    71b3367011357f8f66c50cee1dc3e331e631933d

  • SHA256

    796d20b44f82b2f28d9f1da9055e1ff84c2e8ac85447b9a53c3f6e8937a54897

  • SHA512

    02742e500fe70ddd5bdff9e6a0ab1b50a679590eab168034a07aca92f58dd539f294561ee3f631716a64c2002ff90a78595fd678e0ec9c7fb307e9843d0a4d75

  • SSDEEP

    24576:wQ1bLFCAXperrOUj6k7ZqC30n5HOUZxfHQAPGuIHpc:wQ1bLk7ZxMdRkp

Score
9/10
collectionpersistence

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0a31f5fc650f2b93a36a1c095714b78a_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LOICIIdVHRBHLgAYeZUAi.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LOICIIdVHRBHLgAYeZUAi.exe XDPQQHAWGNcYLJHXUWA
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - CmdLine Args
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:4752
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LOICIIdVHRBHLgAYeZUAi.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MaCaFCZJcbiC
    Filesize

    474KB

    MD5

    349c42d8308b6f5ca3cdf0fc43fd6c9c

    SHA1

    829b046f2e2cb726d2382ccc40ec08b3b9662cd8

    SHA256

    1ae7cc71c034ae9ee1ad343306305df4adff07ea5aa0e61e0b05d06712971a5e

    SHA512

    5ee6576127884da6fdfca68bbf8f0ab5bdf9d892bbbcab3b9b61134c8ba33504b7e68a447f29fab3bf75d9371a47859e090dbb9081aefdc4cda794f1ecd7c29d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XDPQQHAWGNcYLJHXUWA
    Filesize

    38KB

    MD5

    1adc42dacd12c3ed14f5dfab6bd96aae

    SHA1

    987b4c38d608b0a7f663556a791814e3ae5e6f4d

    SHA256

    192bcaed67e7817bb3f201afc150ba7b58ad8d1860e2d89c0aca5d9976368fe9

    SHA512

    0afef56895e79b1c210f2e3678e9b63697040ff9a15089efd1f28784a64d1bed771bc724ee9d828ba0601a2f99f346b2ee3714e00cfcaa87aa488842969bcb45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Web.txt
    Filesize

    3KB

    MD5

    b9daf88205e7429feaceda806bd561d2

    SHA1

    1893c80e74cfea9914343c6e4213393804a92dd1

    SHA256

    efa03262d4c3f5a46ab526946b8c7450d37eff4b5f8d53b43468655eea8cc027

    SHA512

    649ba70698611bd66aa91e40aaa81327a60efc098c1705729f9eb316c18e9bcca6af2363b24f8ac4aea5d25f12303833aedaada6fd26f1eebb86711a4e9baaf1

    Download Submit

  • memory/1420-22-0x0000000000E20000-0x0000000000E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1448-38-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1448-46-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1448-39-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1452-27-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1452-29-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1452-26-0x0000000074030000-0x00000000745E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1452-28-0x0000000074030000-0x00000000745E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1452-17-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1452-47-0x0000000074030000-0x00000000745E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1452-48-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1452-49-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4752-32-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4752-34-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4752-35-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/4752-36-0x0000000000420000-0x00000000004E9000-memory.dmp

    Filesize

    804KB

    Download