b7ee14ffe7b41ac80a21d276c17baaeaa688b8b31a18a459df31898359740b62

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
Size

3.0MB
MD5

b7c4fc6aa5efa0afb92bdad4e8a3348f
SHA1

045b58c4401a3b74c98c926e8ac2f12e67412a8f
SHA256

b7ee14ffe7b41ac80a21d276c17baaeaa688b8b31a18a459df31898359740b62
SHA512

6551ab923c7b12f038dc76a1ac88dd6c7fb54fd24befff5f9006499b9d47bfa18878379898c49f259508eb9845bf88bac640df976350c3e70cf461cc4da5d79a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpUbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	locxopti.exe
2560	adobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJP\\adobsys.exe"	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5N\\optixloc.exe"	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe
2984	locxopti.exe
2560	adobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2984	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	28
PID 2924 wrote to memory of 2984	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	28
PID 2924 wrote to memory of 2984	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	28
PID 2924 wrote to memory of 2984	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	28
PID 2924 wrote to memory of 2560	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	29
PID 2924 wrote to memory of 2560	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	29
PID 2924 wrote to memory of 2560	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	29
PID 2924 wrote to memory of 2560	2924	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\UserDotJP\adobsys.exe
  C:\UserDotJP\adobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotJP\adobsys.exe

Filesize
3.0MB

MD5
3931d42908151642b3fd06c6ab40137a

SHA1
733e92af9a3e2c4e936c5c995a51e14794d735d8

SHA256
80cf86ca7b7816b9b6c3c248db29552787b57b33409263c1754e7841cb128c08

SHA512
8d3929f529344941f84323e1d1d7e916d5699fe0168acfb053d33070c6738ce7f701530f4456bd3bbc790467c3319e0505561fb6122c70e94b51b24e21e0c83e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
9ef81326d65223c917a90ae619495495

SHA1
554d5035935d43d1505c092b7ea4658363ff1555

SHA256
e02e6d6ff8165351baefb12d102ba2433286f019f0439a038af733849d9864ac

SHA512
910aa40f34b3ed41ae1d6f0df4be4533cd1bf7b860ed0a126372eef1a241905902a118d10c4561b8eaf94501799eef89549e3862531fc47be55d2231e7c6e7c5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
78530850aa0c1c1649287352bc01aa47

SHA1
7542035ad74eef8bdcece6814c62a0fb42c545df

SHA256
4f96f7020617f55d910dbeac777230f1f56196f806703bd4f8244e1294633fbc

SHA512
6ec8b4a4cfd9bd459b0ff240c5f61b19ae0c5ecdc3d0b15108cdefed42eaa652e94a6904fda133b00d194bd656c0520d242ca04ab34b78458687a3f971a53738

Download Submit
C:\Vid5N\optixloc.exe

Filesize
3.0MB

MD5
70ef0b3f9fda05c1a1fc0f7ba89e1b02

SHA1
2be9e7565a2effd0f7eda0a957ef9e73c6a1dc2e

SHA256
c0f6f341e4c6cde54f909a8770cc576c6d46b17176e7b61fead9ff8064adab41

SHA512
c604ebc1b106bff057f7b7b43d5c8698d6840666dd290279522ab78db007354da18aef3a10d3fdd9ac47464987f3d0e16819ac2519039b1840a2eea1d4b6630b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

Filesize
3.0MB

MD5
f81b27b1b46b6391074846172287bb0e

SHA1
4d2eea543587bfbd034395e1a31c37dbee6640ed

SHA256
36b322b8e864e7ea2a89398bd39f4e0e9eda881cb5a54c846c14f10e45ad1417

SHA512
7157de93be90e230fa2443c65cf0602f961464d883348c40f49bf5398e10d29148c4d643673684709e2d70ed1686eafb181561d5a5cba94465972ea6d1ae1045

Download Submit