Analysis Overview
SHA256
19877426654096d35fa4a46656f35207fa19b3657c50c284cf601332243b9199
Threat Level: Known bad
The file 3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer
ISR Stealer payload
Nirsoft
NirSoft MailPassView
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops desktop.ini file(s)
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 17:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 17:53
Reported
2024-05-10 17:55
Platform
win7-20240221-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 2532 set thread context of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 2532 set thread context of 564 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe.lnk " /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe.bat
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\5Av1NKdfMp.ini"
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\0Qj4PiT7dB.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.lineamamamababy.com | udp |
Files
memory/2300-0-0x00000000744D1000-0x00000000744D2000-memory.dmp
memory/2300-1-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2300-2-0x00000000744D0000-0x0000000074A7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe
| MD5 | 3050f4e4954811a6c0b01a429706a4f7 |
| SHA1 | b45715196d8302c56610cd95b2b246169391aa68 |
| SHA256 | 19877426654096d35fa4a46656f35207fa19b3657c50c284cf601332243b9199 |
| SHA512 | a2c45736c6b71cfcdf78bc7e840a17428ad5f1e23167bf7dbef48289317e93580c46ec65b6e8d7ded625f4d1024498ac2fd908cb2b47c15aa7fa6fcb74d69130 |
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 0f01571a3e4c71eb4313175aae86488e |
| SHA1 | 2ba648afe2cd52edf5f25e304f77d457abf7ac0e |
| SHA256 | 8cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022 |
| SHA512 | 159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794 |
memory/2532-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2532-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2532-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2532-12-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2532-11-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe.bat
| MD5 | ecfb8bbd2089f4b25ff6ed7ad46b75a9 |
| SHA1 | 3c02d9b41562f1f298b54ee43795ff19cded5481 |
| SHA256 | d8cde60c69544dd2c34408ba17f1703e3e7429e7c0257a3b37411633bfffb029 |
| SHA512 | b7727d9b0c3626c115fa2aa10dff860d898951d1396b1ecf8df2dc7114991e39d29619fa8f492514ceeb8195f3b3b9943754be13d14a4008475a07458aa4376c |
memory/2448-35-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2448-36-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2448-32-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2532-31-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2448-37-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2300-39-0x00000000744D0000-0x0000000074A7B000-memory.dmp
memory/2448-41-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5Av1NKdfMp.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/564-44-0x0000000000400000-0x000000000041F000-memory.dmp
memory/564-46-0x0000000000400000-0x000000000041F000-memory.dmp
memory/564-47-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2532-48-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 17:53
Reported
2024-05-10 17:55
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3172 set thread context of 3860 | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 3860 set thread context of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 3860 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3050f4e4954811a6c0b01a429706a4f7_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe.lnk " /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe.bat
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\AW0OMzkwea.ini"
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
C:\Users\Admin\AppData\Local\Temp\svhost.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\6i68b09ZxJ.ini"
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.196.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.lineamamamababy.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/3172-0-0x0000000074A02000-0x0000000074A03000-memory.dmp
memory/3172-1-0x0000000074A00000-0x0000000074FB1000-memory.dmp
memory/3172-2-0x0000000074A00000-0x0000000074FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe
| MD5 | 3050f4e4954811a6c0b01a429706a4f7 |
| SHA1 | b45715196d8302c56610cd95b2b246169391aa68 |
| SHA256 | 19877426654096d35fa4a46656f35207fa19b3657c50c284cf601332243b9199 |
| SHA512 | a2c45736c6b71cfcdf78bc7e840a17428ad5f1e23167bf7dbef48289317e93580c46ec65b6e8d7ded625f4d1024498ac2fd908cb2b47c15aa7fa6fcb74d69130 |
memory/3860-11-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 454501a66ad6e85175a6757573d79f8b |
| SHA1 | 8ca96c61f26a640a5b1b1152d055260b9d43e308 |
| SHA256 | 7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8 |
| SHA512 | 9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7 |
memory/3860-17-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2096-20-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2096-23-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2096-24-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GoodheaTH\GoodheaTH.exe.bat
| MD5 | ecfb8bbd2089f4b25ff6ed7ad46b75a9 |
| SHA1 | 3c02d9b41562f1f298b54ee43795ff19cded5481 |
| SHA256 | d8cde60c69544dd2c34408ba17f1703e3e7429e7c0257a3b37411633bfffb029 |
| SHA512 | b7727d9b0c3626c115fa2aa10dff860d898951d1396b1ecf8df2dc7114991e39d29619fa8f492514ceeb8195f3b3b9943754be13d14a4008475a07458aa4376c |
memory/2096-28-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2096-27-0x0000000000400000-0x0000000000453000-memory.dmp
memory/3172-30-0x0000000074A00000-0x0000000074FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AW0OMzkwea.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/2696-34-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2696-32-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2696-35-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3860-36-0x0000000000400000-0x0000000000442000-memory.dmp