Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe
-
Size
749KB
-
MD5
5d0fc29b2e452f2755adb485b042b68f
-
SHA1
b593df766e097fcd883283449021b0929d2789bf
-
SHA256
14238c034c6094c578678f2f9ace098c16b3c0330b2205a79bb0d6dc87ee4ad7
-
SHA512
3e5f0beb9e2c379a28721c7b0ffbccf56bf3789c78be585a09eed274bc45f97d84d063be42cfeb6eebbaae8969e9676d8d8587efadefcef0a751d8db4f3c1c4b
-
SSDEEP
12288:r2ao6kbriwUzgTVyaFBA8KBcm3VDSxUoe7+PL1BLltrcxoIlrh4Xxw0nOJaL4Lh:r2aOriwwmVb08wcm3VGmoegLvvI9OqHZ
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/5852-23-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5852-25-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5852-26-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/5852-29-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/6136-13-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/6136-15-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/6136-16-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/6136-21-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/memory/6136-13-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/6136-15-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/6136-16-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/6136-21-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5852-23-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5852-25-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5852-26-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/5852-29-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 62 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3008 set thread context of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 2956 set thread context of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 set thread context of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 6136 vbc.exe 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 3008 wrote to memory of 2956 3008 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 97 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 6136 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 98 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99 PID 2956 wrote to memory of 5852 2956 5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp274A.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6136
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2B52.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:5852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\5d0fc29b2e452f2755adb485b042b68f_JaffaCakes118.exe.log
Filesize405B
MD5bb02d2315b8c3d46390cc8852c350909
SHA1c7eb57165fb7be0cec9a282a56449d35a3e39a53
SHA2566b04fbf03b5064dc32c8cbc7e5f125339ca297622487ed4269da381fa50b7290
SHA512e395ec8866c9ba864bd59bfb84a88538a053740d66e2fa83926597b2e4b357a55f794c5b39c5ae43353f4debc865ec6b4c60494da32a10e643582b6ae130d080
-
Filesize
4KB
MD5a35b8711bea28d54fb7a350adceb3f76
SHA15872d7a95a74ec6de08194283027fcf2cdb96390
SHA256a90449e696cb37fa289ab8dcd0888734c74d0b61273231a0ce0e93adfd2d8137
SHA512d997e0ace25eff648f16395a4771402465b39fa059d3b0f36efbd743c691bf4308c58d5585e3aebc63c206d18d01edf46f14b0cb5cffe6f1d5bf9132d76d9210