Overview

overview

7

Static

static

3

11cf5ca49a...18.exe

windows7-x64

7

11cf5ca49a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2024, 08:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    11cf5ca49a6c354eb005fb24bdf6b1f0_JaffaCakes118.exe

  • Size

    768KB

  • MD5

    11cf5ca49a6c354eb005fb24bdf6b1f0

  • SHA1

    c37b9b9fea73c95de363e8746ff305f4b23f0c28

  • SHA256

    4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7

  • SHA512

    ac91cb1e00db5eab4dd2253f745703d95ea4fe086c4289da62088f40ea727e4b54205d230b4282d38df006c3aebb2522058e2737c90d426abf900368c9c6dbba

  • SSDEEP

    6144:jLPkIupKPUWqUzHwlyLqZucfo/4dQSP8AEcmqRYn/nCrK8cI1WaWQ0vOKO5DBHQp:3kXoDOUAuao/Kl9a9bQ+ZE1Qyu9

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11cf5ca49a6c354eb005fb24bdf6b1f0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\11cf5ca49a6c354eb005fb24bdf6b1f0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Eburin" /TR "\"C:\ProgramData\Kip1.exe\""
      2⤵
      • Creates scheduled task(s)
      PID:2256
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /run /tn "Eburin"
      2⤵
        PID:3116
    • C:\ProgramData\Kip1.exe
      C:\ProgramData\Kip1.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\ProgramData\Kip1.exe
        C:\ProgramData\Kip1.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1216
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1252
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3964 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4548
      • C:\ProgramData\Kip1.exe
        C:\ProgramData\Kip1.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\ProgramData\Kip1.exe
          C:\ProgramData\Kip1.exe
          2⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\ProgramData\Kip1.exe" >> NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2108
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              4⤵
              • Delays execution with timeout.exe
              PID:3284

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Kip1.exe
              Filesize

              768KB

              MD5

              b211348f8784ea450e1364c053046a6c

              SHA1

              70df9df1ffe20e7eac54e424c2e76242696904d2

              SHA256

              ca11b8ffbc782df697f34a26df930970b1ced2efbf89a34c506ae80a1cdc43bf

              SHA512

              b69d29cb50fbc3872a0e372c28747d56c94c094af7fe80168dfa48656e309aba32a7e9c7f26df6b5d2f2420592e6b079fc3df517298f2456e40aec2d8e36573a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\225208468
              Filesize

              417KB

              MD5

              33573120ecf4a9ccaa2fe97832ee6fc7

              SHA1

              285b502f61cecac5d2f8ad3275ae41ff7d768eee

              SHA256

              5a468668342be83ee0f364d4f5d426ac5a4dcf55446ef743950e4613a3174290

              SHA512

              1d6166b18ed1ceb19e7cff72313231c64ef1e856de6ae2c41834c477ed145fcf64bb97ed9236324aaa1c4a0e4cfa0013f79cd1008855005c6584389b1be4f715

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\768999484
              Filesize

              114KB

              MD5

              4808263efeec1019f450544f9b314ef3

              SHA1

              8864bd10d2f34adbe3c6abfb7cad1c900d5d2600

              SHA256

              37cf3ea98c38978a62b53f6162e17ec5c617a4d86a9dcdb2da19f9977ec584a9

              SHA512

              5d607c7b8db405066c5d9d354f18016db71b7d93f25b58d65844fdb94b3c635734ffb4c8936c4a8660211afef025e39b350180105f049eb79d9bb25315f5ec3d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7949157282
              Filesize

              116KB

              MD5

              f70aa3fa04f0536280f872ad17973c3d

              SHA1

              50a7b889329a92de1b272d0ecf5fce87395d3123

              SHA256

              8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

              SHA512

              30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

              Download Submit

            • memory/1216-11-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1216-13-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1216-70-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1216-12-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1216-8-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1632-79-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1632-80-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1632-150-0x0000000000400000-0x000000000041A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/3284-153-0x0000000077871000-0x0000000077991000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/3996-2-0x0000000077871000-0x0000000077991000-memory.dmp

              Filesize

              1.1MB

              Download