17f6bf035042d722927ebff748dcabc5d7cb19ba429da72a017e05ca57d8d0be

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe
Size

4.1MB
MD5

99d95cf99007b5b672e3d8851c249b4a
SHA1

6036bf326f26d392f0ed4fbb38dddc21f2718fad
SHA256

17f6bf035042d722927ebff748dcabc5d7cb19ba429da72a017e05ca57d8d0be
SHA512

17dda269228a32ea2486d42968553f542f2a4dcc73a62a18a9217e3c367572be4b2caa2d13fdc538ac105e6b2dda62ccc4c6dedf63cd34161f68b5dbaa525fa0
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBjB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUp8bVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	ecadob.exe
2576	aoptisys.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe
2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv02\\aoptisys.exe"	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQ9\\optiasys.exe"	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe
2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe
3036	ecadob.exe
2576	aoptisys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3036	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	28
PID 2400 wrote to memory of 3036	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	28
PID 2400 wrote to memory of 3036	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	28
PID 2400 wrote to memory of 3036	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	28
PID 2400 wrote to memory of 2576	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2576	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2576	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	29
PID 2400 wrote to memory of 2576	2400	99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99d95cf99007b5b672e3d8851c249b4a_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\SysDrv02\aoptisys.exe
  C:\SysDrv02\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBQ9\optiasys.exe

Filesize
1.8MB

MD5
a11f76255b9ca6234bfd6aa66474643d

SHA1
e3cc3fe2e8e1a624e3288e828320a33d91a8d733

SHA256
2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6

SHA512
5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56

Download Submit
C:\KaVBQ9\optiasys.exe

Filesize
4.1MB

MD5
9277e832c3d5661647c4a6ccb17d1aaf

SHA1
8e85cb8cc1f86a86db54692821617f29ce837121

SHA256
4e532a11fc4eb32a1f41bdfed557af381328017a3844212ed387f9c57a67d91a

SHA512
e0b736370ef4453aa4331c472c3d962395f4707fd8e3cc0ef6287081e1d3a673e019f7bade3f032dbadce93f75d16ba193ac041ccc35ed66f915f6a10cfaf93e

Download Submit
C:\SysDrv02\aoptisys.exe

Filesize
4.1MB

MD5
fec3c2ae1d095dde8c1437b4b6b34030

SHA1
c9f1836afe50c195f5185e6196087eb8a022876c

SHA256
c15f2ede15ab8be054114dabd241822116096dd4aa26bed71989dd2b1f8b7a30

SHA512
4e1e0697a606a7e31da05eaf783bac61c8007b0e5dae9e95293a588f3ca88e06b38361645bb9456a6ca5b8cb8bdbdfdff4462b116526f3c9910a0085dea5b0d4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
728edb40ddd963c859d58aee7e917c7c

SHA1
78073fc032e47e637bad4fe3f2c89cdbe2d9eace

SHA256
51ce01e1f05e49a44c2e17c94802d1d2a6246bd0a9a919848ae5dbaa44c6aa90

SHA512
d62b06f9f58267b94c5dec8174266bde69da896e52ae7adcfe291ac14d3f0fdaa314770448cb319b773cd53769f71e01e933b63f1a115b4736354988769bde7a

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
ae9549c25046f9187ced0eed359ea4ec

SHA1
4ac7fd5b0eed95db769e469e0531f761fa87d3e0

SHA256
92f217c90f51953016d222d213bc7b30db5a345aa1abf5d7e6bc56ec8e2fdbda

SHA512
37fca0643f15ad5542aafcd8ec59e79dbb5dd32d70be37b6934fa697399efc32026703ceb495f6ead1ba798d5260b4e1ef5e45f104284ca400ca6d60c4025a54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe

Filesize
4.1MB

MD5
a4dc3da37bbb5360fc6780de6d032d1f

SHA1
4db2ec380ab989af1fe940364ad64ab5bd4c8632

SHA256
33fc943bbaf237201b506edf7de92f67a71329aa3f9dc4abe9279ca93eea5da9

SHA512
6ca545475ab18106f2d3b5a4faa3ff280782206499916464977c985575b32494359f90f2b80e5531cc3e4b0a3e057d8222d14f33526de2d33b941bd511883f82

Download Submit