36c16c6998926e47b39f641bcc6f3a6dfa4280f89f05014ab4aec4f653953786

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe
Size

3.0MB
MD5

07169261dd00064c8ca7f02018eff3cf
SHA1

2d7a896d457a0e16d073f2140b2d3eb8190a24a8
SHA256

36c16c6998926e47b39f641bcc6f3a6dfa4280f89f05014ab4aec4f653953786
SHA512

0c5e4c00e9ec0477df1c416f8f45297e9d4008c4e0df5d9b3a9a14fd9d19711d4988a122234560b3aa1134edaa4986641914e5ca61de9d42676ae5449b54295b
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBSB/bSqz8b6LNX:sxX7QnxrloE5dpUpdbVz8eLF

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	sysxdob.exe
2100	xdobloc.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe
2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOD\\xdobloc.exe"	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZM8\\dobasys.exe"	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe
2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe
2856	sysxdob.exe
2100	xdobloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2856	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	28
PID 2548 wrote to memory of 2856	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	28
PID 2548 wrote to memory of 2856	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	28
PID 2548 wrote to memory of 2856	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	28
PID 2548 wrote to memory of 2100	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2100	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2100	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2100	2548	07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07169261dd00064c8ca7f02018eff3cf_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\FilesOD\xdobloc.exe
  C:\FilesOD\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesOD\xdobloc.exe

Filesize
7KB

MD5
84c3a9ef71c6c32cc10faa7a3122fe8d

SHA1
44094cadec949c065d4321a4cb7bb4c11cd999f9

SHA256
de832fdf2de3a5ef6ef5856b88230214e4a82f75e7bd75a06e26b26295f3f07b

SHA512
f1a129f7aed7cc664d5863e93709d5db2f4f45caf6e6372303a8d02f820d81b54c422a04eb54ae98bd4ba94cd7035a4f0faa9a15bf71b5210f2274fb4f64ac3a

Download Submit
C:\LabZM8\dobasys.exe

Filesize
2.7MB

MD5
0a23ac85f6afaf56f88c61ed7e1fca23

SHA1
c943762663f2b5755aa08ae4bdf9bc2e32c6cd82

SHA256
06de79f7f9e59e479ef08b87608cd547b94211fc05f0a408691d24da258a4518

SHA512
6af50fbda15d0d47cbbc96af83387e2581d1b07c9a5bed6545da682dcbd8dc8b0a8e3d62c0692b7f177e13739fd9876d7216f3923ada9567c801e67acd80b4c0

Download Submit
C:\LabZM8\dobasys.exe

Filesize
3.0MB

MD5
968aa82a2c6ea8fea3d4d1d3d58eda8a

SHA1
ae68139e012de90271c403bef831f9879d7e064a

SHA256
ef514937cb37cf983b1a8cffecb240543ff27dfd012c51561c5b909bdccd19df

SHA512
6c68337eaa80afca27adbadaf96235476f17fd20574dc35392b5ebb7c3df3bea7cf1dd76274606eca001010f8a45ac7723b9ab18af9b8f2bcb9911ce41369565

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
168B

MD5
c67739b332faf4734fcf0be231a50eb9

SHA1
5ae50b468aa2dccdb0a919551f6788c3aba0070c

SHA256
da0fa7ff738e5d920d409a856ff8879a6a7cf7a7b4a09d7340f49f3f861433da

SHA512
e1dc51d9d091a0018279be0745c00346dd4ab6a68b61aef4bf3b2269e95d3f8961258519f09934cbd5d6eb6accab7e6e92f8a69be23abe88a2625cb51c4fc32d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
857fc99daf5b94ae1412f114ff0c982b

SHA1
f8103c6821edfed0c6a35607c4b4fe13e8f45c66

SHA256
e8dd69a590f78b6d34642a3a517c02dd7ee79c9baf5d59e508b79b60dc3ceb70

SHA512
4f5a3223ba5dbcd24951d33919fa4b5772fe1602b73794e509def58a362b08106a5f5860349dae6f41aee539ae1d3e84a81b4e8fbb4d782da706d1b2d36a5c8b

Download Submit
\FilesOD\xdobloc.exe

Filesize
3.0MB

MD5
6a011b578ca1b9ff858eb1f30ad5b2e7

SHA1
6862061cfa60b58f25e386d17fecad68398d01f7

SHA256
5cbee528a54cab8ca8f395e846ff6ab8009fe555907f2c3344b28c3d3241c9fd

SHA512
355aebe81259c55b8811dff85a4a98b60a3aef2c89511dd9926e3e81961b017c6eb8fdfb651b6cc755dd738cc208784ee6fb831adcb4001cd2397809eba353d7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe

Filesize
3.0MB

MD5
69452aa3afe0bdb884008895e520c4df

SHA1
9b8d69f26c8cc23ebb064dd777868be85fd2726a

SHA256
ce957f2a1f90abd6a7e3209e0b891c10582ac4b0f221f8e8d3be72246fe9e06c

SHA512
9d38a97cc9be6d554a8a101396c48510798770b3d5139145aa9ff541c0a8ffc45cf9c75f656a8aa4ef3404d6208b4076b6c56a73e61fd123cacc39d59b831ae3

Download Submit