2740d0e16a167a586a16aaa69131b7ba4b69bf2cb156e82d96afe03116f3d687

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
Size

4.0MB
MD5

5a19106054635543eb7ec80deccc8247
SHA1

2c4d687306c34491a933c2ea0c0fefa9ddab0b9f
SHA256

2740d0e16a167a586a16aaa69131b7ba4b69bf2cb156e82d96afe03116f3d687
SHA512

33731e1983d89074ae8250dba04ebd50f3005dcabcb8a915bd25aca5806a978c5ef8bf231a192789066a70bc4e04c8e65c64e6419174b6d71133f23d8f4ae771
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB7B/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1576	locadob.exe
2688	xdobloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocST\\xdobloc.exe"	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXD\\bodxloc.exe"	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe
1576	locadob.exe
1576	locadob.exe
2688	xdobloc.exe
2688	xdobloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 1576	4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	92
PID 4660 wrote to memory of 1576	4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	92
PID 4660 wrote to memory of 1576	4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	92
PID 4660 wrote to memory of 2688	4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	93
PID 4660 wrote to memory of 2688	4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	93
PID 4660 wrote to memory of 2688	4660	5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe	93

C:\Users\Admin\AppData\Local\Temp\5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a19106054635543eb7ec80deccc8247_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\IntelprocST\xdobloc.exe
  C:\IntelprocST\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocST\xdobloc.exe

Filesize
4.0MB

MD5
f0868bb8963f3e573f13faef4996b905

SHA1
4ae3102c4389e4ee451e47f8963963518b84e69b

SHA256
753cfbcaf6d30e4299d40bd2b7ab794fc0f52277f82ee555ccb770936e4aeaca

SHA512
4806685deecdf85cfe1599cb6c06419db7a3274427a9ee835d853386adde2ad33ce812ddedd7977bdf6bbd9326a951efb4de1429ac5512b422b1e5a530b4c14d

Download Submit
C:\LabZXD\bodxloc.exe

Filesize
4.0MB

MD5
f3d6af4054c7a34374838129b190c8a8

SHA1
e0c9ad7e87e1f6f4f98f9259e60fdefabdb93a75

SHA256
1452095a39cc6d7410d88410c109bf079bcd09c7cc84260662bceec927ca5398

SHA512
dbb1e96e08b2fa4488119b7e4bd8df77a9229b121924410f7d6508f5381d55801b045bd75d10930849b5b2326b0c5680170c575f75dcf05dd7f8611081cc77d4

Download Submit
C:\LabZXD\bodxloc.exe

Filesize
2.5MB

MD5
bf8d8c74ed74cfb4725609f36b9c29c4

SHA1
310f6d0f144882d6b595506640572b9fae8c9bd8

SHA256
5c3fa9827b228d849c1e395785575760517fae1f529f78601297a3d59766304e

SHA512
d6cead3245c10bac74c8be73f5d1e63196987ee9644809d700abde49b2c8f215a9f44d0f3a5d53e57dd869944884fae534ebcca9b5447401ed343300dd7c8fd8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
2a46416bc8ea1cea8bf434038080de11

SHA1
d79ceee3431cccf7937187a6cc6ca2be649e0fad

SHA256
58be67945b51ec79ee55c4681b48fe4d486fb372d447a90926e6f504dd0d2ef8

SHA512
8f328ea1eecf0b339b0a795489d6246b559e0fa7c1557b0eae47e01953991cff894842dc91c32597a64b55a213c4e39d7c9d796d83f148462a1a8665f6bb6eb1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
30599e9b5cdc8414bcb82f97630a721d

SHA1
ebdc048bfb46c075065e1a1bed3ae33e1dcb0c56

SHA256
22e58ab9ff6c0ef0b4389e24ee16d24d0ee404c6cfcbce0d89105b47dc239272

SHA512
c472b23d10e09344dff43e714b42187e794b959ffb09f05b941464f3a92dcec7c1ebf3876e62df42a4b9c0af981130ac0088bcbf4eb2f7ba7e05c38b798cf120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe

Filesize
4.0MB

MD5
7d126b3c9b6da0d2bb11df1f5433d6e1

SHA1
16d40c9595c9d513c8563d48c62aa2624c4edc6f

SHA256
72b3b048e9a50e43074476a7cd8e8de32c6117879a51ab4df0799546a4a624ae

SHA512
13edf867d3d728b20208f35d4fe224030d31b2c398e485cd23aca01b6959da04028a0d4f2623f7d8915b539ca51c964a6712ad1c976b0a0358e3c4be426c8eb9

Download Submit