Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
2598ebf1b561402e5a4c9042514ac04d
-
SHA1
a888bbd8d3c26c99e3eb49b3121d669c340687ec
-
SHA256
5b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b
-
SHA512
5cc1ce18ef0242d6519055cf4cf1fa3300682a6a8ed77232135e178eeba457402dcafc747a26898e0d525a0b5ba57890b5472e62236fb4d5ef888020d3b644f0
-
SSDEEP
24576:7gHEvJo0mfNy/JCGaje+vwc3U5DZhMoP8iQQLCb9Slqk:EEa04y/JC3vx3U5v1GQI9r
Malware Config
Extracted
formbook
2.6
hx48
click-list.info
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Quote.exeQuote.exeQuote.exepid process 4160 Quote.exe 4860 Quote.exe 3160 Quote.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cscript.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\colorcplS = "C:\\Program Files (x86)\\audiodghz74.cmd" cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote.txt | cmd" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Quote.exeQuote.execscript.exedescription pid process target process PID 4160 set thread context of 3160 4160 Quote.exe Quote.exe PID 3160 set thread context of 3448 3160 Quote.exe Explorer.EXE PID 3432 set thread context of 3448 3432 cscript.exe Explorer.EXE -
Drops file in Program Files directory 3 IoCs
Processes:
cmd.execscript.exedescription ioc process File created C:\Program Files (x86)\audiodghz74.cmd cmd.exe File opened for modification C:\Program Files (x86)\audiodghz74.cmd cmd.exe File opened for modification C:\Program Files (x86)\audiodghz74.cmd cscript.exe -
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exeQuote.exeQuote.execscript.exepid process 404 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe 404 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe 4160 Quote.exe 4160 Quote.exe 3160 Quote.exe 3160 Quote.exe 3160 Quote.exe 3160 Quote.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe 3432 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Quote.execscript.exepid process 3160 Quote.exe 3160 Quote.exe 3160 Quote.exe 3432 cscript.exe 3432 cscript.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exeQuote.exeQuote.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 404 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe Token: SeDebugPrivilege 4160 Quote.exe Token: SeDebugPrivilege 3160 Quote.exe Token: SeDebugPrivilege 3432 cscript.exe Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.execmd.exeQuote.execmd.exeExplorer.EXEcscript.exedescription pid process target process PID 404 wrote to memory of 3760 404 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 404 wrote to memory of 3760 404 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 404 wrote to memory of 3760 404 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe cmd.exe PID 3760 wrote to memory of 4160 3760 cmd.exe Quote.exe PID 3760 wrote to memory of 4160 3760 cmd.exe Quote.exe PID 3760 wrote to memory of 4160 3760 cmd.exe Quote.exe PID 4160 wrote to memory of 904 4160 Quote.exe cmd.exe PID 4160 wrote to memory of 904 4160 Quote.exe cmd.exe PID 4160 wrote to memory of 904 4160 Quote.exe cmd.exe PID 904 wrote to memory of 2656 904 cmd.exe reg.exe PID 904 wrote to memory of 2656 904 cmd.exe reg.exe PID 904 wrote to memory of 2656 904 cmd.exe reg.exe PID 4160 wrote to memory of 4860 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 4860 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 4860 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 3160 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 3160 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 3160 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 3160 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 3160 4160 Quote.exe Quote.exe PID 4160 wrote to memory of 3160 4160 Quote.exe Quote.exe PID 3448 wrote to memory of 3432 3448 Explorer.EXE cscript.exe PID 3448 wrote to memory of 3432 3448 Explorer.EXE cscript.exe PID 3448 wrote to memory of 3432 3448 Explorer.EXE cscript.exe PID 3432 wrote to memory of 2160 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 2160 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 2160 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 4916 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 4916 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 4916 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 2932 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 2932 3432 cscript.exe cmd.exe PID 3432 wrote to memory of 2932 3432 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\cmd.exe"cmd"3⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\Desktop\Quote.exe"C:\Users\Admin\Desktop\Quote.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\cmd.exe"cmd"5⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Quote" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Quote.txt" | cmd"6⤵
- Adds Run key to start application
PID:2656 -
C:\Users\Admin\Desktop\Quote.exe"C:\Users\Admin\Desktop\Quote.exe"5⤵
- Executes dropped EXE
PID:4860 -
C:\Users\Admin\Desktop\Quote.exe"C:\Users\Admin\Desktop\Quote.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3160 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\Desktop\Quote.exe" "C:\Program Files (x86)\audiodghz74.cmd" /V3⤵
- Drops file in Program Files directory
PID:2160 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Desktop\Quote.exe"3⤵PID:4916
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
1.3MB
MD52598ebf1b561402e5a4c9042514ac04d
SHA1a888bbd8d3c26c99e3eb49b3121d669c340687ec
SHA2565b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b
SHA5125cc1ce18ef0242d6519055cf4cf1fa3300682a6a8ed77232135e178eeba457402dcafc747a26898e0d525a0b5ba57890b5472e62236fb4d5ef888020d3b644f0