b7ee14ffe7b41ac80a21d276c17baaeaa688b8b31a18a459df31898359740b62

Analysis

max time kernel
153s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
Size

3.0MB
MD5

b7c4fc6aa5efa0afb92bdad4e8a3348f
SHA1

045b58c4401a3b74c98c926e8ac2f12e67412a8f
SHA256

b7ee14ffe7b41ac80a21d276c17baaeaa688b8b31a18a459df31898359740b62
SHA512

6551ab923c7b12f038dc76a1ac88dd6c7fb54fd24befff5f9006499b9d47bfa18878379898c49f259508eb9845bf88bac640df976350c3e70cf461cc4da5d79a
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpUbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4968	sysaopti.exe
2716	devbodloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIF\\devbodloc.exe"	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1B\\dobdevloc.exe"	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
4968	sysaopti.exe
4968	sysaopti.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe
2716	devbodloc.exe
2716	devbodloc.exe
4968	sysaopti.exe
4968	sysaopti.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4968	2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	90
PID 2148 wrote to memory of 4968	2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	90
PID 2148 wrote to memory of 4968	2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	90
PID 2148 wrote to memory of 2716	2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	91
PID 2148 wrote to memory of 2716	2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	91
PID 2148 wrote to memory of 2716	2148	b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\SysDrvIF\devbodloc.exe
  C:\SysDrvIF\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax1B\dobdevloc.exe

Filesize
18KB

MD5
85debed8a6676c98245779ce3f4937eb

SHA1
57e668e9fc77c82daa3878cb6311e0533529bc63

SHA256
b7b50daf7b1d73039fa1ebd9717c549099a61c0e75b0b8d8313ee11df4307223

SHA512
3bf96e9e8c07c974e8ff4906ae202728ae096bdc69182bfbabb37813a5b85096a5e32b7300103295786ebd6dea997ec477129b3b54ff3455f0c267844c77b5c3

Download Submit
C:\Galax1B\dobdevloc.exe

Filesize
4KB

MD5
7b41954bee8856da62ef57345adc3522

SHA1
11b72bcd158990287c7502b2d89a500dd528be97

SHA256
53500f97f1743cdbbb8e20fbd873c559d502902c5b946a3bf45608d9862e2df2

SHA512
6ca7be3c24637b2cebe059bfaf0b67d1447edda13807cc42ee42f4d621f67bc6378b464eaa122e4a1b1a0119b9d19e5ad9d40b4adfad582ede44ce86614f7c62

Download Submit
C:\SysDrvIF\devbodloc.exe

Filesize
56KB

MD5
68cb52347b9deef8d868bbea4886ab4c

SHA1
715a866c3dabf9a2afd76224affcee649fc9a055

SHA256
0346154353dec9d910e942265151405843d72b4e956300cc2dd697a59cafa74f

SHA512
a60c259d96c6f2e217e11c7a2ea9b39bda8943d563ec8dc5b0ab57eb1afa18dc1041bfe7be78e833821ee140556d18542a1515de5531283c886abeb1f6f28730

Download Submit
C:\SysDrvIF\devbodloc.exe

Filesize
3.0MB

MD5
efd5857e7958647d69644149bf092268

SHA1
941964b5d518ea6383a927a1d629d0f5042e6ae3

SHA256
437ffaf48472faf8f1d9e8faf7e1818f3eb0ecf8748cc44f989598c04174ebba

SHA512
fe654405c6aac723e9a6d9b05846150928b932a38629d12f94460392780f18a8fc2f239c29be36848dc337a1e3875d02df463b3d3a3e86d88e1b1af38d225c75

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
bac6cc6ae13ceeec8b05f6bbb378d6a8

SHA1
bd0d4f7aca415f55843488c64175a1e2b930d744

SHA256
dc7f6733b523d9e2fa685c5d9e61c5f706b38aeeb62856e8e82db7645691ccbd

SHA512
bc55698f4d59a61dc4488ba3516a7eeb0b7b8342b1495b6e2ad9b3147ca6ccba8577582739f9b1c0443d220423c7ecc396b85ccbcea681e30ceb646a83387dcb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
175B

MD5
862d29af104348208b661e33ab629c2e

SHA1
e643ce2733faf67fc1d972ccdc77f1244035bd97

SHA256
4c4b8d164574703ac6697d8532ce7621ba7a497e885872cf58f8a9656a09250b

SHA512
3339b290e2f0a2ce3421ee7a34bc3d3e34a52866e2d6e8478e4eae865c59841c58a27c58b363c374b53418763af3260e439992c3cbf85fcc0883e8c15cb5f707

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.0MB

MD5
15d5ba03b3094ddd63791a7840d38cba

SHA1
a67599567b9edb3c0c2552674eba8853188c1758

SHA256
f93fe0ed23dcc6b4d98481866619645d894d60a0794df4e398dd181f4db72016

SHA512
2d148a31ccac1ea46020827f733ea565a7c1a1f3402c2e2d9b3de8d7adb66862c440be1064d91b6e1bfa147198ef92a5943d9e35bdceb197bab7b0bf58af2bf8

Download Submit