Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 12:53
Behavioral task
behavioral1
Sample
24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe
-
Size
552KB
-
MD5
24eca305562ce8bd4f36ac89298175d6
-
SHA1
52526f5c8d2e21c7e7bd1d914bf1fbf11ed88357
-
SHA256
384e6e90221ab95f95634da7b74e83cc7f8cff13583b50781a08fe3149273b10
-
SHA512
dd246df54817d47bd6bdcdaaeae708c9a40f252a350f27932f45c72f8db225baef02bd771835cbf41e4609c78bd4db323eca25e670d3264f335ebe608abe40d7
-
SSDEEP
12288:E9rD+H23OO3n/LpPxM35B9qgObN8F6qlfNUqIFzGRIF6nj1K20XdDixi8B7xDFCs:CrDF3ln/Llib0J2
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/5116-15-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5116-17-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5116-18-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5116-21-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4620-4-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4620-6-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4620-7-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4620-13-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/4620-4-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4620-6-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4620-7-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4620-13-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5116-15-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5116-17-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5116-18-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5116-21-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 640 set thread context of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 set thread context of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 4620 vbc.exe 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 4620 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 94 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95 PID 640 wrote to memory of 5116 640 24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24eca305562ce8bd4f36ac89298175d6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6939.tmp"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp6D42.tmp"2⤵
- Accesses Microsoft Outlook accounts
PID:5116
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5ffac57f3af894e11bc3b35a6f57e8d3e
SHA124fbd90d6dd2a857714504f95d0943fd8c19ac92
SHA25676b287236dd90b8bd6d7ea8df80a6e0ce7267270de339c028d5965c6f7a242a6
SHA512f504f37eb536ec0c84923be7944b14c4a21e39db27f657c9bb0a4f3fe00573f31589233bb0bd4b43add65498863d384cfd8508ea18fa339415a5265d2f8264b6