06d94641bb476c5fa3d78b7059887790bdf2d173081e7a595523ba28e99a58e0

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe
Size

654KB
MD5

6978d4fe770879c22f11d708eb6cfccb
SHA1

d47db598072d3a81403a250b7da4ab4bb245a8bd
SHA256

06d94641bb476c5fa3d78b7059887790bdf2d173081e7a595523ba28e99a58e0
SHA512

faf749fd1a4193b98ce6c9687a470d44bb3491f344ea84472b0e8382061fd03ba3f5af6ff73da0c6f20b6b27a806faa101ede9e1053d66e7cbca73503f82c637
SSDEEP

12288:uR7M/rkoZZ4Umg7BABatP/FxgZxuKmUULT1zYzWuEnyP+A20:uR7WZZ4Umg7BAAwPuKmHAWLyGAl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

BUWqJ.exe

pid process

1684 BUWqJ.exe
Loads dropped DLL 1 IoCs

Processes:

6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe

pid process

2408 6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1684	BUWqJ.exe

pid	process
2408	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe

Drops Chrome extension 3 IoCs

Processes:

BUWqJ.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json	BUWqJ.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe

description	pid	process	target process
PID 2408 wrote to memory of 1684	2408	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe
PID 2408 wrote to memory of 1684	2408	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe
PID 2408 wrote to memory of 1684	2408	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe
PID 2408 wrote to memory of 1684	2408	6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe	BUWqJ.exe

C:\Users\Admin\AppData\Local\Temp\6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6978d4fe770879c22f11d708eb6cfccb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\18393dc0\BUWqJ.exe
"C:\Users\Admin\AppData\Local\Temp/18393dc0/BUWqJ.exe"
2⤵
- Executes dropped EXE
- Drops Chrome extension
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\lsdb.js

Filesize
7KB

MD5
e60b1b9608d743c0d6b47a2c15cb1aee

SHA1
41c10aa121803fec87557e358a540c7f0266ce1e

SHA256
87ee3d582b6eece28d8ff3e899c029b75917f2ef1a08e86c3ea9dabffbd0db33

SHA512
0eb7212ea8412896026a692fdce34e3d2a285b2f516c37b13fc3dea941f803800d7a773deca9d3b7bbc0605fdb622474e6c10ff17180f2adfaf1aaad04951256

Download Submit
C:\Users\Admin\AppData\Local\Temp\18393dc0\BUWqJ.dat

Filesize
1KB

MD5
d2e17fb4bb69995f49911e52fe07ef1b

SHA1
7d500f4dfb884206472ab654036a62d6cd786fd8

SHA256
d9a291738c5186dbcd15ddd4d1d218aec804438288db82f4fdf2431dc448521c

SHA512
c29e69959bdb70103d3943528fd6dd8aecc50d1ad8200044005b82adfe9f4befdc98365e2567711132fe3044480cbf40ca8f2cf5b700681e1d35ef7dba92843a

Download Submit
C:\Users\Admin\AppData\Local\Temp\18393dc0\ganlifbpkcplnldliibcbegplfmcfigp\YUvswx.js

Filesize
24KB

MD5
46c299bacb3a5e74513d1461854c66b7

SHA1
c27c592525e2929a68971678c536b6af20aef46a

SHA256
25293eb85c48d1b8d0af027fdd93d066fa8cfbc45dbffe4fabe7e9a191e4ed61

SHA512
cad64bff9cae07aa3bc7851ca252e6613b3c3023af0ff89036f0f14cdb5287e7eeba2271abcbeb9686c67100205779667cc630567aff95a39fd2563cba28e92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\18393dc0\ganlifbpkcplnldliibcbegplfmcfigp\background.html

Filesize
143B

MD5
0c835c78fd9d888ac1afe8c3bf2d8d98

SHA1
3316f500cadec930d52553294e0e2100e921b39b

SHA256
46a2a135fdcefe54c8d1798e95932a01343a6885859afea0a2256d709b43d2b3

SHA512
de9411a2f600b3ff532ee4bd24c3a02b127b34373541eb2d4973a99402fe37ffaf666c60d7b22598a99a3520a356916ac2d3cad83a976ea11a4212007f4a49df

Download Submit
C:\Users\Admin\AppData\Local\Temp\18393dc0\ganlifbpkcplnldliibcbegplfmcfigp\content.js

Filesize
7KB

MD5
0f9054279524b49954d32ced056eab06

SHA1
0ac7589c48d23a34332678572e3b02b3b3b39f5c

SHA256
48d6e16558d7d331085cb09f3995660640e673f82244e4980193259418ca1e07

SHA512
38684cfd6473c0f3b1a9b4ec78ea49b903d29bb95405fc0882954bccb49cb1f733c3d149e5046977b0f08808108c91680b45ca67d76868a99f4c75b9c05206dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\18393dc0\ganlifbpkcplnldliibcbegplfmcfigp\lsdb.js

Filesize
7KB

MD5
cff82b88669e188d6a5f77943a51ab87

SHA1
209187eefb9c20871e2e426307ee4cea469dee6d

SHA256
09501481648c593ddba3fa2378ab5c1cadebc4d9af47068a5715ab2934cd2fb9

SHA512
0038096a96bfae386668e5a5c73bfa913c5533ebd4995b7d145ee3413f2efe4c658ffb952272a64c6b11d64619583c36de32471be4559d0c9d37a8804634ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\18393dc0\ganlifbpkcplnldliibcbegplfmcfigp\manifest.json

Filesize
607B

MD5
9402760891e68386a100d13bc4026019

SHA1
e3ef76864ebd8436caa1de78b0d74517d72b42fe

SHA256
dff224b7f5749a00766e3df4943070d25de10162b746629513fcdf899c9a8627

SHA512
9592332c1f6aabf170d337521017520ba9577e4f8401734c988feb8d69f7f144dd9ba04bee91b113564d64e2bed1254ff1fb62ec4152f67d89ae17982d3a007b

Download Submit
C:\Users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\manifest.json

Filesize
607B

MD5
fee6946b8e8e1e15bccd3f192bfac337

SHA1
068a4290286dca8a54a93bb43d03ad6716fe7d01

SHA256
fddcb7c08308e01e0143239f8aa0b89c646401392c14943f1e8fb85ef5cbac65

SHA512
7d02d734bc39b4fbb08f7ba7227b28da84f82e18ef28af33789413c1b898976b5ef7bdfe275a64f17b567dfb3043d3ef35d4a7b2c90a5ebb6e07085ea48ca345

Download Submit
C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\126\YUvswx.js

Filesize
24KB

MD5
fd69cea1b9d46de9e6eb67794089d20f

SHA1
ac651ec79ae5ef434d732bdcbab3f3ca22df77a2

SHA256
4baf4e9be7a8b559819f8e82d141dd26ec3430d0619463a8a18e043a4427bb1e

SHA512
829a5bd0b785a21984b7c872b6bef512886819bcfa1030c250399913519fb5a28cf691006b59db8f5da05231ef4be104e2c6b602297fe718c7a7d8777bba023f

Download Submit
\Users\Admin\AppData\Local\Temp\18393dc0\BUWqJ.exe

Filesize
451KB

MD5
43aa29bf4812910789cc2805d11f68af

SHA1
22c30000fa6e7a8fbc111fde7e1cb4c3795cd5f9

SHA256
55ef27c7da3b60b65d524dd3ae3327506ffb035f78f6be5b793c71babeab8a04

SHA512
604ef59a990547a1a0aeb2cd10a0ea695ffa1114f912befdf179004737a2cd032cd884c3fbc856834ec9c076fd0c54173ed5361b8b6ed0f33adb6f56f8813f89

Download Submit