eaf39296275eac5af338b2b9994a43b017454ccf9b4d6983134a7715f099adba

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1748fa073414360500d759041e5471b_JaffaCakes118.exe
Size

3.2MB
MD5

d1748fa073414360500d759041e5471b
SHA1

1a9b1e691160ffce53aa11189d4b5b43c7a3deec
SHA256

eaf39296275eac5af338b2b9994a43b017454ccf9b4d6983134a7715f099adba
SHA512

e04a094eb4dee02a59ee45424c55c1f185be03d01cc2c7a31a200158f48c5ee18e4b9ce2afa8f00ca3ea7ae151e08525bf79cb901b4719a5f45b4a44f9dc7264
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBBB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpSbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe	d1748fa073414360500d759041e5471b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4140	sysabod.exe
4168	xoptiloc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLB\\xoptiloc.exe"	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPK\\dobdevec.exe"	d1748fa073414360500d759041e5471b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe
4140	sysabod.exe
4140	sysabod.exe
4168	xoptiloc.exe
4168	xoptiloc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4140	1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	89
PID 1880 wrote to memory of 4140	1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	89
PID 1880 wrote to memory of 4140	1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	89
PID 1880 wrote to memory of 4168	1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	90
PID 1880 wrote to memory of 4168	1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	90
PID 1880 wrote to memory of 4168	1880	d1748fa073414360500d759041e5471b_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\d1748fa073414360500d759041e5471b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1748fa073414360500d759041e5471b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4140
- C:\UserDotLB\xoptiloc.exe
  C:\UserDotLB\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBPK\dobdevec.exe

Filesize
2.9MB

MD5
c46320161c555f8fc749d7600448ad4b

SHA1
e125c1b78ab7e7a9d0cfb1bc9c0b86a745fc80cd

SHA256
6aa2ec7df536aa1959b3d98d6364bfcb631a5f9a59d0579aa741080898c8b982

SHA512
58b81528c405c8a89caa36f3fdeb62ca6305880bbbfced01eb1756816c7a75c2f5771a447fd3a511a3c3008463e9394d8101e54da2aaea0c93b4f8397a15970c

Download Submit
C:\KaVBPK\dobdevec.exe

Filesize
373KB

MD5
a5b75a7a36ff786ab149261a9884cfe3

SHA1
39fe166527d84122e321f2ee20636adb23a4abc5

SHA256
ca2d9defe60b23546b6aeccba05b1edebcb0f7ea4ace64c0d618402259ee4fa7

SHA512
1986ccb0ac074a3f75c045bb181a61c61e0004df493257f0428da2a2ec39d50d42fbf796d836084baca71ef3b0733e5a7eebc27e4a47e0601c392e31b1bdc581

Download Submit
C:\UserDotLB\xoptiloc.exe

Filesize
324KB

MD5
be4ddafc2cb8b5edc5d8833f111caf89

SHA1
087d8e6e6a471f584a43c5b854a1e7888485e287

SHA256
543e7186ff3b545410cda4f3f9dfc40327d8e0bfafcce85aa34fef65120afb94

SHA512
b34465d44c8c4dc6d4fcf69a671a95136192e765c6d60550303947178dd59dad004d72bd782a40161e3a738a0389d4d4e19af3da7e2c0c48082c1722c94f19de

Download Submit
C:\UserDotLB\xoptiloc.exe

Filesize
3.2MB

MD5
1a7efd922f9b8e5356b969b0aeadf8a0

SHA1
007fc4c2cd8a7c187c7cf12643c9b53eddf9ed2d

SHA256
1fe78f25f7ab302aace0e0c1e40c1650e3084082842eae3cd2cb397903a77e75

SHA512
d8645f42dbc1eae2b42d1b608c8b4b610cea9907e78eb4e7154901ac331a4bb2cbbffae98f5870ce5ac9b1d698d402bd998fc0d289cc7e4c461c95f2188011e3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
eb984e0eaf299f9f8005fe026debed84

SHA1
2277927b165b7115da27f9efb9747f38f8bb5bb6

SHA256
8ce94c09d0a8270f774b52c3029a5db2a36191817a211d667c4cfc750c8d850a

SHA512
db182a4982fda7d57eaf6d5eeec1b0b0d3b9d349dc9cce4f0a56cf42b575ed79d3f9714cfc87ab05265bea1aea3dedafa4024b0bc5ed0ebf47395c8f71fc21a3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
172B

MD5
fe87fbded513a8ee96cebe5aefd7ba74

SHA1
f2e7c42bbf51f6b3f72b06fc4cba9f6b41e15f8f

SHA256
39185937fb91e56a03f13a67920febb102abfb7af3ad7d82241c5a2134e6fc44

SHA512
1d89ae1471438acde1796263ae0907a284249b486114e57f26f12df394ef4c2826e7f3e54d064137e7a9a87d7873467d7e2512a6a7530ac3e94fd89fc4f7842e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe

Filesize
3.2MB

MD5
ffc33d329b1a6336e279f06a58454e52

SHA1
ec9e6a00e424c615b50d6b742ea6ff6170c038c1

SHA256
cb0f3a194cb98c96668930312d6bdeb290ba481f8e939e99c02195a702e79ba9

SHA512
6578ef45405df57254229958625993de9ee28413ec965ca6cd577904833c8878166b0a4f80f49bcedd56020ac18f195c02e2abb9e4d8b12216f26eeaa0da9c29

Download Submit