1ec95cc7d648e4f7f93a37b88b3708f1abcb877949a5c4fe5d6e95ceebc96158

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe
Size

3.2MB
MD5

4a1e0388b48fe663a6b24e1c28804048
SHA1

cacde9377d7fba6c72e7158f3d34885c4b0311ae
SHA256

1ec95cc7d648e4f7f93a37b88b3708f1abcb877949a5c4fe5d6e95ceebc96158
SHA512

ec25e0545ac92129b7481e1c70507ab2307b0f96dd75cfbfb9fb03e8ce743ead7c8fd95c303b27ed8ae2354f22cacfe493f8e290bd72742da61efb84df86e3e3
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB+B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp1bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	ecxdob.exe
1296	aoptiloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe
2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3C\\aoptiloc.exe"	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGV\\dobxloc.exe"	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe
2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe
2212	ecxdob.exe
1296	aoptiloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2212	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	28
PID 2020 wrote to memory of 2212	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	28
PID 2020 wrote to memory of 2212	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	28
PID 2020 wrote to memory of 2212	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	28
PID 2020 wrote to memory of 1296	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	29
PID 2020 wrote to memory of 1296	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	29
PID 2020 wrote to memory of 1296	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	29
PID 2020 wrote to memory of 1296	2020	4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a1e0388b48fe663a6b24e1c28804048.jaffacakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Adobe3C\aoptiloc.exe
  C:\Adobe3C\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe3C\aoptiloc.exe

Filesize
3.2MB

MD5
cf3dbf8455e650a87b105d62d5724288

SHA1
2b289ca973cfb6e1ee361b4c027c0c516516f81e

SHA256
724c2efa3ed426e083656151579736546f75c2b359b2a9087640f3d8d64ca047

SHA512
de88c030a341fad19e609f9cd42836d33a385b3d85c2ca42c96b19fb3d1caf268df1ec58d0b4bb351e39732b4305a13304fbfcb86dbf8e1208701dee1f0eafb9

Download Submit
C:\KaVBGV\dobxloc.exe

Filesize
1.2MB

MD5
211f25780a949ecc47fe103d46655355

SHA1
9e61828760283cbf311ef63c6da4b54bc8e38bf4

SHA256
03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3

SHA512
425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c

Download Submit
C:\KaVBGV\dobxloc.exe

Filesize
3.2MB

MD5
1b364693ee90ca41eac0ef615f22c1a0

SHA1
1ceb2db73c316c28ee0961a5ba59d40371224036

SHA256
7320c4979d69e57196b0c104b6ff3d8ff5efece2380cf3f47fbfe0cfc18938de

SHA512
f24c62d690286b4847f56eaa1b33597a6655afb1587e09781f8b4a8c4ebc18908130e0ae4710450fb9a333ec09bd245575eb8003ffea4342b89dff69a0df2604

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
0d0d1892e0cfe9561d7c491f9f328b37

SHA1
8aea702fcce141d87eb860443d356ea128f3d180

SHA256
dfeb569fcee344c40cb28bd304a86c5b25224bde49d39081d10b3ed0013b8d55

SHA512
9c66318c4c59f7e59ca749e4981e7c95b74b29c8f0e481690cf6eefa63e0a8db6a4374dad138be1a3ec574e965e599d8a7ab165034150f8bda861c4a0efb16b3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
1b3ffccd4e1201273195573b66d67591

SHA1
2240bc03ad53eb1ee745e062f1afb163adca9039

SHA256
321f5e566be705039be07408b5c6683614918779aa2f4d4ef0d9abca6f0473be

SHA512
b8a2880162fc2a1cb47fbb55b46885b64f041a0d1e6a32679d9fe09359a5e2cd43607b3be1d769b58c461b0908055ddc8c0a71841d024c6dc52fdccf80a30c62

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
3.2MB

MD5
51133f94c85c55d503c90920b7cd0802

SHA1
cb47d56a81ceca33ce7df82c4bac67e8f5f796a3

SHA256
f0646f36f1e07d1df23c5cfd0cb871a2451a97b681a28755f2f73717b53c3fdf

SHA512
21e6114934f2b82d46756f2f53766c7b15c60614324e61c53d48ba54ac530ef80f080098bc4ddbd30e203a3674418f816b5b9283c6b9b39d2a0c5f3685df40f5

Download Submit