Analysis

  • max time kernel
    132s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 03:24

General

  • Target

    1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    1f4acc2840193a2b3093cec932eea7eb

  • SHA1

    8dfa71b596d34b7281ea2533697957311822cf8b

  • SHA256

    818ddcd58e62b21749be9172cb7b8b1930c288961a40f74f79d32510da80a75b

  • SHA512

    cac08dc9777ab03950953f9db5fdca0e73b51d64f373973c0cd047bf68d616408679a2c99297ea5e44e9f95a4d0ac95e5247fcabc99b5b30f170bb29a5e7fa03

  • SSDEEP

    98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1f4acc2840193a2b3093cec932eea7eb_JaffaCakes118.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\ProgramData\Чистилка\Чистилка.exe
      C:\ProgramData\Чистилка\Чистилка.exe /srvcreate
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 2476
      2⤵
      • Program crash
      PID:1232
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4968 -ip 4968
    1⤵
      PID:4848

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

            Filesize

            1KB

            MD5

            d727b2d9e16f9b8a435bd68a64be4dc5

            SHA1

            9bfee268801d38744236824ef2f8d93f75563e68

            SHA256

            8d129edd44d9030964d2ac01109a26d57c5db6bf7bd3afd6070c3c0eff7168bc

            SHA512

            c624dfb477604703b37dc0ce309bcfab74e2817ac357b0a7e672ba1c75e41a1e7d6f6cae1fb3a1cdeac40c40da1393a3ba0dcf0b23c6b9c6c7600b8328170723

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка.lnk

            Filesize

            1KB

            MD5

            41b13742f04ea63d1d87bbbf21a86c3e

            SHA1

            f7480711388d65b91985d95e64c3e9842af146ff

            SHA256

            cce3e10286612de1f3900fa3a80340aa913cf528ec7563a4e5ac854f61658a20

            SHA512

            27018abe8daeb05f4b8d66ce30bc8c26a0ec7e83d09b94c20b399e8c83ce3949cf383c57e7dbeee2b0528cee76dbf39198dda8b9cefd8157460a18b922259937

          • C:\ProgramData\Чистилка\Чистилка.exe

            Filesize

            4.3MB

            MD5

            1f4acc2840193a2b3093cec932eea7eb

            SHA1

            8dfa71b596d34b7281ea2533697957311822cf8b

            SHA256

            818ddcd58e62b21749be9172cb7b8b1930c288961a40f74f79d32510da80a75b

            SHA512

            cac08dc9777ab03950953f9db5fdca0e73b51d64f373973c0cd047bf68d616408679a2c99297ea5e44e9f95a4d0ac95e5247fcabc99b5b30f170bb29a5e7fa03

          • memory/4968-37-0x0000000000F50000-0x00000000013AE000-memory.dmp

            Filesize

            4.4MB