777bb88f0340d9c3be6ce71ca561f7a7e8d0f372cb745d6ccfbe6a18a7fa345c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
Size

3.0MB
MD5

2f0aaee99e8411db8265db84227af6be
SHA1

c7c26070b9e3bc5e0cbdd225ed9c1da43c565482
SHA256

777bb88f0340d9c3be6ce71ca561f7a7e8d0f372cb745d6ccfbe6a18a7fa345c
SHA512

fb1239e27f9531eb7ecaa3a7550eff61889cec37b47ba4e74dc6ca38176a6c377873aab43afd73a99d768021320e76984142d0d38b0713f15b0a8d7bd72f1280
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBIB/bSqz8b6LNX:sxX7QnxrloE5dpUpDbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1788	sysdevdob.exe
2612	adobec.exe

Loads dropped DLL 2 IoCs

pid	Process
360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNR\\adobec.exe"	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6K\\bodaloc.exe"	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe
1788	sysdevdob.exe
2612	adobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1788	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	28
PID 360 wrote to memory of 1788	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	28
PID 360 wrote to memory of 1788	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	28
PID 360 wrote to memory of 1788	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	28
PID 360 wrote to memory of 2612	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	29
PID 360 wrote to memory of 2612	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	29
PID 360 wrote to memory of 2612	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	29
PID 360 wrote to memory of 2612	360	2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f0aaee99e8411db8265db84227af6be_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\AdobeNR\adobec.exe
  C:\AdobeNR\adobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeNR\adobec.exe

Filesize
3.0MB

MD5
46319ea2ba1ceef5331a5631bc84bab0

SHA1
13154fdf5043d2b2255592196fc2c2692cfb3d2f

SHA256
f42833549f857e236851d04f31e54f032d1ba1efcca8ba97733544428bd4171a

SHA512
7bcf16510d2d751142ffc50bd0c525e009e929a26d094d7cc93e1f7ab634074305603f67ec64938de6b02ab3558bffbb5c14020ee2136628d5bb89a5ba06bfc2

Download Submit
C:\KaVB6K\bodaloc.exe

Filesize
12KB

MD5
5ce46de9d1c8ab23eeb8a98bb0b2232e

SHA1
eb2b026ffaf5a7802065fa5971c5c4495fa6763a

SHA256
0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0

SHA512
173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712

Download Submit
C:\KaVB6K\bodaloc.exe

Filesize
3.0MB

MD5
328d6e2a077e2205abcf3c0b9c82e4dd

SHA1
c1e62eeda19388625078e7f3d41c0df820344a81

SHA256
c6ff00bf54f371ca64a4e940e8f997a6ecb645d8ea296a051718f0bc07f93bff

SHA512
ccf755183b0b16edada71cf7d234ce3a3e854cfb8cea3f74f7f0b6250f2fe7e091921f71c09917045bafb348f07cd27995d7a9f2af1ced6d137b3328fa627787

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
169B

MD5
7f6bccd7f335ffb51e672763ef1d53c1

SHA1
c90d7c917bc3cc86b8f07aa6f6ca35b07877fc8c

SHA256
e8528799a6a8d33154ab69e9536a8c2a43bed7c14d98c86e85d91c96133d260f

SHA512
07cabc44dcca558a732e6fcebc56b92ca3ae67bcb9997108987468c2f6bf2ef3dda7745d2551c397bebb929b3b220fe0bddd7f59bdb247bab5a785c83473296f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
bccfc7dae1c23189d697dda4c5f3d34f

SHA1
d8defe0126617cad068edc5176ece5f51a4ec69e

SHA256
ecd6c72f4cc2cb8d821161882d48b7017b3b96e7028cd852b504b2259594bf6a

SHA512
58695de166b963fc98392093202a6efee67940c67326a2c946316dfeac8aa770cde284bf3f2108609901de3e6faf0b533ce31ec32b6313a40e1e108bb5499080

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe

Filesize
3.0MB

MD5
edf399774f9d0d45a76fb443c7ea5451

SHA1
05bbad667846c53911b26006ba16224b78672c8a

SHA256
71b67774b467cb116a3aa63df3dcadb16e47264376ebb78f20d6e98a203ab370

SHA512
0190172079332baf90e035a3a636cec3f4b1cc823a7d6f41b77f65798d9a2d5e1f2fe99bdef36af272a8c861dd6f4e1aa98dc93c07c02c86d9bb2cfc333df6e8

Download Submit