eaf39296275eac5af338b2b9994a43b017454ccf9b4d6983134a7715f099adba

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1748fa073414360500d759041e5471b_JaffaCakes118.exe
Size

3.2MB
MD5

d1748fa073414360500d759041e5471b
SHA1

1a9b1e691160ffce53aa11189d4b5b43c7a3deec
SHA256

eaf39296275eac5af338b2b9994a43b017454ccf9b4d6983134a7715f099adba
SHA512

e04a094eb4dee02a59ee45424c55c1f185be03d01cc2c7a31a200158f48c5ee18e4b9ce2afa8f00ca3ea7ae151e08525bf79cb901b4719a5f45b4a44f9dc7264
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe	d1748fa073414360500d759041e5471b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2064	sysaopti.exe
2556	xdobsys.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD6\\xdobsys.exe"	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2B\\dobdevsys.exe"	d1748fa073414360500d759041e5471b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe
2064	sysaopti.exe
2556	xdobsys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2064	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2064	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2064	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2064	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	28
PID 2080 wrote to memory of 2556	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2556	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2556	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	29
PID 2080 wrote to memory of 2556	2080	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\d1748fa073414360500d759041e5471b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1748fa073414360500d759041e5471b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\SysDrvD6\xdobsys.exe
  C:\SysDrvD6\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax2B\dobdevsys.exe

Filesize
2.9MB

MD5
2c98b6acc9bbaa04b3200cc2d49a88f6

SHA1
3739969ba6f3b4ce21fe35688e57fc0847caa9d6

SHA256
8f475531f954913926eca4eaa76d42bc05aa345d8b145af5d8e307bcc161dee6

SHA512
268de8998674863a4c76cc5255e3bccbee47a1c45b91709418174127828e1e00208d5b7b3b7254b467cfd4f55ff576ac0faca1d390051794bba5eaa43c5a2998

Download Submit
C:\Galax2B\dobdevsys.exe

Filesize
9KB

MD5
16a4bb0fc3d5c44be3028068af1ea1ef

SHA1
3525da0805ed7773dfef437f24482b727389e9db

SHA256
cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d

SHA512
b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b

Download Submit
C:\SysDrvD6\xdobsys.exe

Filesize
3.2MB

MD5
edb4c3d39a473b8d4cace3cb8c350ff2

SHA1
b7100f893201614345e7d8b0ef11cc5a89f1b43a

SHA256
83c8cd9b852662637017373d415252f42d297b2c10b288ca10c6603f431a71dd

SHA512
740eff180cceefeca7c09858e9daef04e7903b5031fe4b01c3143b8a6d12faf20b3f6ff9903977d0ff8e6e7b2337e1fef17eb00825dc5f40be487e0b98f9e859

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
173B

MD5
7f313ab7d8abcb5a46cb16ed544907c3

SHA1
9c2be11ee09e2c4f62bb0b9900ac4892472e5224

SHA256
2f3f7fa02de044b4543dbc71baf3f1306d8c2b248533927cbc8de0583ae299f0

SHA512
c9e14c82563a661bb8c2c18897ba564fa3f3fbf7dfe0e070ff4db8a50fdac67df64c8541d67cf5baf61652a0691925d0427edd3954c1f248e4e0ecf1b8254851

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
10c5b7007243037ffcbb4b78acb33ef8

SHA1
938e8f83e583291d523c747d33c40efb4eff286d

SHA256
0a1aa1a894ca476ba004e43677f2976cf90b11d5e497bc74f8b812286d867c4f

SHA512
96d2b033cdc52c6d140cb691de0fd390875bfe5940b401c43bc0d9d9f5e084e1ccc2a23306f6adafb5e32844a017cfc4798be3e1294b6e2d92351fad4d7a0d8f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe

Filesize
3.2MB

MD5
2686776e2d6be3ad1737444dcf882338

SHA1
a222bc2bb03cab150f8719610f6550bba6b24112

SHA256
d7fe7eda9b7da4185bf14e4831b04e3c403fd62ad22b41b28f282d4a35db251e

SHA512
247d122275069062fd15c9dbb9a49259e05fcf985caeccfcb49c2339f6021c1b0785f8b7c1c3996814f427127cf4fc696cd2a7bf3de1d5803a062830d57e2e52

Download Submit