Overview

overview

8

Static

static

3

5c595e6e7a...18.exe

windows7-x64

8

5c595e6e7a...18.exe

windows10-2004-x64

8

data1748814.rtf

windows7-x64

1

data1748814.rtf

windows10-2004-x64

1

data2607577.xls

windows7-x64

1

data2607577.xls

windows10-2004-x64

1

data865134.pdf

windows7-x64

1

data865134.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    138s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2024, 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe

  • Size

    6.0MB

  • MD5

    5c595e6e7a518e6e59781233b9f0a0fa

  • SHA1

    58f9482895a688ae3acff3e6f1f72351025dbafb

  • SHA256

    63a12d00df51a39449cdd29f34ca128bad0d39852783b8ad1fbcfad23f74325d

  • SHA512

    a17e18528d9083366c3b87e9b5fca2021d05fa1afad9a01859f5af325d5040ecebbf65cd8a1751153dbf8e90682addb789ebb9832c287c6db94a4513e623786d

  • SSDEEP

    98304:Rj0roU/xc9qrYL0hQgQAAQQxDZU62y7MsUwzEIdbGMlUq72fCsVoDxXioQ6Q3P:Rj0roU/O9kC0CGDYUxIdp72fQX8

Score
8/10
discoveryevasionexecutionpersistencespywarestealer

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 40 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 31 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5c595e6e7a518e6e59781233b9f0a0fa_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\sc.exe
      sc.exe query
      2⤵
      • Launches sc.exe
      PID:5080
    • C:\Windows\SysWOW64\sc.exe
      sc stop OtherSearch
      2⤵
      • Launches sc.exe
      PID:512
    • C:\Windows\SysWOW64\net.exe
      net stop Lace514
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop Lace514
        3⤵
          PID:4616
      • C:\Windows\SysWOW64\sc.exe
        sc create Lace514 binpath= %SystemRoot%\System32\drivers\Lace_wpf_x64.sys DisplayName= Lace514 type= kernel start= system group= PNP_TDI
        2⤵
        • Launches sc.exe
        PID:1872
      • C:\Windows\SysWOW64\sc.exe
        sc start Lace514
        2⤵
        • Launches sc.exe
        PID:3752
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Program Files (x86)\deXq7s0uTq\kl.dll" Install
        2⤵
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /S /C "schTasks.exe /QUERY /FO TABLE /V | find "updengine.exe" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\schtasks.exe
          schTasks.exe /QUERY /FO TABLE /V
          3⤵
            PID:3012
          • C:\Windows\SysWOW64\find.exe
            find "updengine.exe"
            3⤵
              PID:4780
          • C:\Windows\SysWOW64\sc.exe
            sc start OtherSearch
            2⤵
            • Launches sc.exe
            PID:2008
          • C:\Windows\SysWOW64\SchTasks.exe
            "SchTasks.exe" /CREATE /TN "tOekwGxbF6" /XML "C:\Program Files (x86)\deXq7s0uTq\s.xml"
            2⤵
            • Creates scheduled task(s)
            PID:3764
          • C:\Windows\SysWOW64\cmd.exe
            cmd /S /C "schTasks.exe /QUERY /FO TABLE /V | find "C:\Program Files (x86)\deXq7s0uTq" "
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1656
            • C:\Windows\SysWOW64\schtasks.exe
              schTasks.exe /QUERY /FO TABLE /V
              3⤵
                PID:4792
              • C:\Windows\SysWOW64\find.exe
                find "C:\Program Files (x86)\deXq7s0uTq"
                3⤵
                  PID:60
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" failure OtherSearch reset= 60 actions= restart/30000/restart/30000/restart/30000
                2⤵
                • Launches sc.exe
                PID:888
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" failure Lace514 reset= 60 actions= restart/30000/restart/30000/restart/30000
                2⤵
                • Launches sc.exe
                PID:4004
              • C:\Program Files (x86)\deXq7s0uTq\slite.exe
                slite.exe "C:\Program Files (x86)\deXq7s0uTq\History" "select url,datetime(last_visit_time/1000000-11644473600,'unixepoch','localtime') from urls order by id DESC limit 0,3"
                2⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                PID:856
              • C:\Program Files (x86)\deXq7s0uTq\slite.exe
                slite.exe "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kfphrdoc.Admin\places.sqlite" "select url,datetime(last_visit_date/1000000, 'unixepoch','utc') from moz_places order by id DESC limit 0,3"
                2⤵
                • Executes dropped EXE
                PID:3536

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\deXq7s0uTq\History
              Filesize

              152KB

              MD5

              73bd1e15afb04648c24593e8ba13e983

              SHA1

              4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

              SHA256

              aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

              SHA512

              6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

              Download Submit

            • C:\Program Files (x86)\deXq7s0uTq\data.dt
              Filesize

              3.5MB

              MD5

              edffdbed03c1314970b030126d1c9247

              SHA1

              0a39be3b057aa71c667281d22278599f65360eac

              SHA256

              a434dbb9abf4e94c4dbe804a617de4b54b8c14b2a6b676903cc78c1c9645fbb2

              SHA512

              6572c11af077df8581429248e2767a67fb5554e00bc0832195907b34e7bd3caa4c04f9d69b92f58f6483e9b0d845557e5646d6ad6ca5313d73d473f37784691a

              Download Submit

            • C:\Program Files (x86)\deXq7s0uTq\kl.dll
              Filesize

              601KB

              MD5

              595cfac71b17ff098577c8d806fe4a53

              SHA1

              6dafccb9f5ebe5be64c3971dd435eed7b69e30c3

              SHA256

              2e7d3050b4929ca2ff0abfea1b7fd3f8aa8f50683a1d299805a5bad647a227d1

              SHA512

              5f3151d85724b374418304c4e0ebe3cb2f6ba5bf3f9f6ce1ce2e891e7f35f2065576dabb1ff8880e16102cb0ecbd4dcf680b117698a45872b2241f8e303ae607

              Download Submit

            • C:\Program Files (x86)\deXq7s0uTq\kl.ecf
              Filesize

              12KB

              MD5

              2008c1db87cf4117da7441cdb1be471c

              SHA1

              e092db5743b83aaa27b0b12530a4308f07b69595

              SHA256

              5411d9cab12b600993beb8861e089eeddfc4667298179dee9c45580bb532098e

              SHA512

              66ed3a3686d7040f209a4803ee687d19a573290d6a819131fdb48248849f3706be8130d7df140d7643a214fea6e010208b0e2aacfad97c1a40cf30818c8ed770

              Download Submit

            • C:\Program Files (x86)\deXq7s0uTq\s.xml
              Filesize

              771B

              MD5

              74c5fa8d8ae91636ca356468715e8f2d

              SHA1

              78bbc97068a9a2e5399bc81a1bcd6d169bde2992

              SHA256

              255202eaa70afd72c36b47dabdd62e6e2e013756614cd92b7d23571aa330c186

              SHA512

              8bb974ef97610299f37ad259fc3615132dc1b9b1bc9b443b9750d30f590693e8cb2a2d7a31ab749ab77fb5d301b0d9f69d9aba5d25da7bf77b60a62fede96169

              Download Submit

            • C:\Program Files (x86)\deXq7s0uTq\slite.exe
              Filesize

              454KB

              MD5

              8d03b10f0dced524a88a3ff4b370f50d

              SHA1

              b6a221e3502c7f2e1d2a19f2142ce028a1fd21d5

              SHA256

              f7b2783b68e6b991eedab07f6b2bff0e6594e19ad470edaa89618bc9ed367b3c

              SHA512

              6bb291d3f2fe004b71526858b3d15d7c0997a786c9793a83e99279a04e34c59bdaccf9be7847d6fdcfff7c26060bad08922cd0b4c4e178ddc1468e15a673dd20

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsq2FCC.tmp\GetVersion.dll
              Filesize

              10KB

              MD5

              d1c6553f6072c5b470db592dc70bd76c

              SHA1

              de3879252aecf835267e98395eef07680a3f8f49

              SHA256

              2f0f2eee13f48f392ef52ef13f3dcc3265d903f9b748981caa0a43c9c8457f33

              SHA512

              9a778309a2f15d60d35d9a91fc379ff7710576de99b72a7a4bd757760b5084d76a143484c87e41125a74497ac24d1df2cb552f39a8ba33bcff39cdfa8bdd5afb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsq2FCC.tmp\System.dll
              Filesize

              11KB

              MD5

              c17103ae9072a06da581dec998343fc1

              SHA1

              b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

              SHA256

              dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

              SHA512

              d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsq2FCC.tmp\inetc.dll
              Filesize

              21KB

              MD5

              d7a3fa6a6c738b4a3c40d5602af20b08

              SHA1

              34fc75d97f640609cb6cadb001da2cb2c0b3538a

              SHA256

              67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

              SHA512

              75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsq2FCC.tmp\nsExec.dll
              Filesize

              6KB

              MD5

              acc2b699edfea5bf5aae45aba3a41e96

              SHA1

              d2accf4d494e43ceb2cff69abe4dd17147d29cc2

              SHA256

              168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

              SHA512

              e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsq2FCC.tmp\nsProcess.dll
              Filesize

              4KB

              MD5

              05450face243b3a7472407b999b03a72

              SHA1

              ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

              SHA256

              95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

              SHA512

              f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

              Download Submit

            • memory/620-100-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/620-106-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/620-117-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/620-120-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/620-124-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/620-104-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/620-98-0x0000000002C50000-0x0000000002FDC000-memory.dmp

              Filesize

              3.5MB

              Download

            • memory/856-188-0x0000000000400000-0x0000000000477000-memory.dmp

              Filesize

              476KB

              Download

            • memory/3024-0-0x0000000000A00000-0x0000000000A72000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3024-230-0x0000000000A00000-0x0000000000A72000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3536-196-0x0000000000400000-0x0000000000477000-memory.dmp

              Filesize

              476KB

              Download