404keylogger | b95cc2d6e179471e7c09c2033124a1a7fe93466269da002aa8b315d398fbea14

General

Target

14d3e00e8027db78a81490e692299712_JaffaCakes118.exe
Size

1.5MB
MD5

14d3e00e8027db78a81490e692299712
SHA1

d6dcc19c0ab0d43ed41af980700acc655a4a8888
SHA256

b95cc2d6e179471e7c09c2033124a1a7fe93466269da002aa8b315d398fbea14
SHA512

ad80449612cbb62e250e0ae2f8681e5c3a23a8437b9598b412f4f01a123cc3088a8d6580fea75c9785d16bec8ba80bc0563adc3047fe4860eb64b9981a5bf36f
SSDEEP

24576:+tb20pkaCqT5TBWgNQ7aEAu0R8/YQ9W783TFtazDkkih76A:rVg5tQ7aEaWt9pckkU5

Score

10^/10

404keylogger collection keylogger stealer

Malware Config

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 3 IoCs

resource	yara_rule
behavioral1/memory/3048-5-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger
behavioral1/memory/3048-9-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger
behavioral1/memory/3048-7-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PrintBrm.url	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2784-3-0x00000000003D0000-0x0000000000559000-memory.dmp	autoit_exe
behavioral1/memory/2784-4-0x00000000003D0000-0x0000000000559000-memory.dmp	autoit_exe
behavioral1/memory/2784-10-0x00000000003D0000-0x0000000000559000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 3048	2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2756	3048	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	MSBuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	MSBuild.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe
2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3048	2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe	28
PID 2784 wrote to memory of 3048	2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe	28
PID 2784 wrote to memory of 3048	2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe	28
PID 2784 wrote to memory of 3048	2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe	28
PID 2784 wrote to memory of 3048	2784	14d3e00e8027db78a81490e692299712_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2756	3048	MSBuild.exe	30
PID 3048 wrote to memory of 2756	3048	MSBuild.exe	30
PID 3048 wrote to memory of 2756	3048	MSBuild.exe	30
PID 3048 wrote to memory of 2756	3048	MSBuild.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\14d3e00e8027db78a81490e692299712_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14d3e00e8027db78a81490e692299712_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1100
    3⤵
    - Program crash
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2784-3-0x00000000003D0000-0x0000000000559000-memory.dmp

Filesize
1.5MB

Download
memory/2784-4-0x00000000003D0000-0x0000000000559000-memory.dmp

Filesize
1.5MB

Download
memory/2784-10-0x00000000003D0000-0x0000000000559000-memory.dmp

Filesize
1.5MB

Download
memory/3048-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3048-9-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3048-7-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3048-11-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/3048-12-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-14-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/3048-15-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing