Analysis
-
max time kernel
140s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe
-
Size
753KB
-
MD5
2b478db2af56153a2cee33f71213cc2f
-
SHA1
bce28f5f6b310898c08413b94b4cdb2b15dce4b8
-
SHA256
934fa3c723ef0371168b39cec66e9f23297d9cd1d6eeae9db2b602044bfdfff1
-
SHA512
64ce4bb46478d21f225d22b8733efbf03d4e18093fe2692ed189060e46a3e3d92f77727699a9f5f09aeca9969229bc4bbac6a3f673680eac403101334517e019
-
SSDEEP
12288:xgB3AAoSMCDXZyPheGF/oP5mjp3kn4OuLh/7/pUwp/ihyvPRr:IqTeJ+heG9jpzOohz/CwBihc
Malware Config
Signatures
-
NirSoft MailPassView 6 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3512-8-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/3512-10-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/3512-9-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral2/memory/4408-20-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4408-22-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4408-23-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3512-8-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/3512-10-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/3512-9-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral2/memory/640-26-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/640-27-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/640-34-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
Processes:
resource yara_rule behavioral2/memory/3512-8-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/3512-10-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/3512-9-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral2/memory/4408-20-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4408-22-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4408-23-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/640-26-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/640-27-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/640-34-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 whatismyipaddress.com 18 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exedescription pid Process procid_target PID 1372 set thread context of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 3512 set thread context of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 set thread context of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exe2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exepid Process 640 vbc.exe 640 vbc.exe 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exedw20.exedescription pid Process Token: SeDebugPrivilege 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe Token: SeBackupPrivilege 3120 dw20.exe Token: SeBackupPrivilege 3120 dw20.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exepid Process 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exedescription pid Process procid_target PID 1372 wrote to memory of 4688 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 92 PID 1372 wrote to memory of 4688 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 92 PID 1372 wrote to memory of 4688 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 92 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 1372 wrote to memory of 3512 1372 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 94 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 4408 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 96 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 640 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 98 PID 3512 wrote to memory of 3120 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 101 PID 3512 wrote to memory of 3120 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 101 PID 3512 wrote to memory of 3120 3512 2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\VDFFSHBXCTFGHDNMBGKZXDDXNVMNCCXBGBNXJNCJM" /XML "C:\Users\Admin\AppData\Local\Temp\z169"2⤵
- Creates scheduled task(s)
PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b478db2af56153a2cee33f71213cc2f_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:4408
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:640
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 13643⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
1KB
MD5f34359e35c1ec733397aeb21f905976d
SHA1781561d362233bd12309927cd4f03244a64fe0ec
SHA256220db0c8f771ea072c8f3199dc051d198df61b8b65083703cf635d8126076615
SHA5124fb9add476040bab90f2c428b1cf357e34e083960dde267513528f5871e299e3ac5d870c7402a2b1b0b81a2c2308ed1379c80909782ba1b1dbec663b43a7f8a0