2740d0e16a167a586a16aaa69131b7ba4b69bf2cb156e82d96afe03116f3d687

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
Size

4.0MB
MD5

5a19106054635543eb7ec80deccc8247
SHA1

2c4d687306c34491a933c2ea0c0fefa9ddab0b9f
SHA256

2740d0e16a167a586a16aaa69131b7ba4b69bf2cb156e82d96afe03116f3d687
SHA512

33731e1983d89074ae8250dba04ebd50f3005dcabcb8a915bd25aca5806a978c5ef8bf231a192789066a70bc4e04c8e65c64e6419174b6d71133f23d8f4ae771
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2052	ecxdob.exe
2040	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesV9\\xdobloc.exe"	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4D\\dobaec.exe"	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe
2052	ecxdob.exe
2040	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2052	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	28
PID 2280 wrote to memory of 2052	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	28
PID 2280 wrote to memory of 2052	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	28
PID 2280 wrote to memory of 2052	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	28
PID 2280 wrote to memory of 2040	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	29
PID 2280 wrote to memory of 2040	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	29
PID 2280 wrote to memory of 2040	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	29
PID 2280 wrote to memory of 2040	2280	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\FilesV9\xdobloc.exe
  C:\FilesV9\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesV9\xdobloc.exe

Filesize
4.0MB

MD5
f41aea4b11ac4bff276e517225ad995c

SHA1
c2383fed91d955942b2260fd0f46f829131ed5cd

SHA256
47b8ea07afe3daee0489befee86e7587dbbdf6281a712417a9afa2224c926c51

SHA512
4ce728aa98d6e8e77256952588bfc9424b2e44b91dcef52d49248b48acef4fad831ced7d14c4f38f0bf02c5f47cb7321e3a4a8c20045d04df0351cb43ac116ac

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
165B

MD5
84b7b262c29f7ec43fc889eb9a4e1070

SHA1
dca36c0561d62b91ec1ef731968ece41898d86b1

SHA256
7104cbbf64535075dce626bd932e6ea93537d1609c8c31cd31fb4955cd8837d8

SHA512
4871486ec8923dd1a62734ae950bd5a71d5930ebca69dc434d9603ec5182ba497cb6e3aeaa7c9afd628702b398364912fb7d62252199a6126530c8d3edcdc916

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
197B

MD5
c105382a8ebc4291892f4b7e6b5a0157

SHA1
43d87312bfe18528713afe76ba71c7471920d002

SHA256
9d314ea76fe59c860e1cd39861ffa44ca7087fa4c53a6e44f4289ec9e0d5537e

SHA512
191fb8a9b92dc6fd8880e5a2eea60752f086f793b0456ae470b897bf0f846fbb3672979a3cd0e18fec8d9daffaf378c61e8a9bf3742cde9ed4f894a75edffb6e

Download Submit
C:\Vid4D\dobaec.exe

Filesize
4.0MB

MD5
e114fd256d71b3ba8b7fdb211b5da34b

SHA1
a63295b34d330cf29f1494d7ba138ff62c62dcf9

SHA256
5a3df5efc47ae69f580bf508480015f431f9f7618ea40d0c18c9160acb0979ab

SHA512
a0bdb37ee6d1ff5d5243d4b96aaf4431921d24ec42f41ea258baf22639de7abbdf07e7024723369311432b1a53cd3cb211b897a46942cd6f2e02123e1160c567

Download Submit
C:\Vid4D\dobaec.exe

Filesize
4.0MB

MD5
6c5fc6a536975969639268f9a550c573

SHA1
6b920051a99f0058613070d1f850c41dbd2f5d58

SHA256
d3cea54d57f56b103318956e10647494cd07460b70a95b7d01a1a51f961e22b7

SHA512
5f43a075a3ada45265a3fe14454be69188aed4ec4d4964ff54d3afeac9a5b7b04e2b28d615712f241c42f04c0bc93e644b31733559ab2f6abd89c5c350dbc5c0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe

Filesize
4.0MB

MD5
51e15ffed72fb27ff182aaa82831d3f6

SHA1
5286d973f42115fff4eefcda1815f42bcef44c8a

SHA256
731df89f189518e01857fb23c140d04f1c2e4545c05628048b0a870d04604c0d

SHA512
2c6ec6eb07e5da6254eded50b8f6c6b8b80ae398dfb42b28b2442d2cf6c981c4c37bc63ddb2421c4c07b111e4abf91b9aaa8c2cb9c39ca4162ae3702bc82cd06

Download Submit