Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 18:20
Static task
static1
Behavioral task
behavioral1
Sample
5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe
-
Size
520KB
-
MD5
5624fb2ed41f989f2d2e38579fa3a17b
-
SHA1
2e3fd2be2b88a35837f29a927086abb430e12a4a
-
SHA256
17dc0136c31a1353dd87efd7cabb4b7c39afb3b26e016e92f2e87feec62e4aa4
-
SHA512
c458026e6d52c8cd486772b21fa7772fcd415c7333461176d084bafee43162d1eef73e922146d50aeb3c857292c176c8215aa57a8986caaed544fed86a160ec8
-
SSDEEP
12288:pDWFBsvRPY6VyvEIKAVPZTHyjo6ItTKBYXWRgHc0GDE5CoG:RvRgOyhaXIZuYXWRd4G
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3388 set thread context of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 1844 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 1844 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe Token: SeDebugPrivilege 1844 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1844 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 PID 3388 wrote to memory of 1844 3388 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5624fb2ed41f989f2d2e38579fa3a17b_JaffaCakes118.exe.log
Filesize522B
MD50f39d6b9afc039d81ff31f65cbf76826
SHA18356d04fe7bba2695d59b6caf5c59f58f3e1a6d8
SHA256ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d
SHA5125bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9