Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe
-
Size
554KB
-
MD5
6fed82a74c070d6163e4f47fffb19981
-
SHA1
552003efb5079a58adb119d1ce5b30733ff9d241
-
SHA256
23226398d73d479d8972b2337025242c8db86397c8f0284400cbe71661156285
-
SHA512
356a6330cbd1eca9be43fc2df3d560bb02720053d832462df820e32a3a1370dd27d85f964e6e21c42260cd5af18e614732525f0ecc39729e0a6cd42409e9eead
-
SSDEEP
12288:UsLSQt0pkJ6KZ9jlkBdX2Gl45ZLRt100sa3wDhM6tpWgXrqPmRc8z:UsLS2XZ9jlch2GKZ310G3wBpqIc8z
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exedescription pid process target process PID 2740 wrote to memory of 2532 2740 6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe cmd.exe PID 2740 wrote to memory of 2532 2740 6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe cmd.exe PID 2740 wrote to memory of 2532 2740 6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe cmd.exe PID 2740 wrote to memory of 2532 2740 6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6fed82a74c070d6163e4f47fffb19981_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\477.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\477.batFilesize
175B
MD53e60bb3b52f052120dda89b70d1d6342
SHA13f5711f5562e4da639eee68be14b8d1f713c48e7
SHA25642b882329769cfff57478f0edf9598431f0ed754cf44a8ac7721fda4a5c063b5
SHA51255d34e59659196401396a010fb1db2361750478fca53f7da6061fb5d84cff8fc236eaba4df97fb104ce339a85d9c3c82a6a3d93d1376e6201b3da6f9de49b3da
-
C:\Users\Admin\AppData\Local\Temp\53484.exeFilesize
554KB
MD56fed82a74c070d6163e4f47fffb19981
SHA1552003efb5079a58adb119d1ce5b30733ff9d241
SHA25623226398d73d479d8972b2337025242c8db86397c8f0284400cbe71661156285
SHA512356a6330cbd1eca9be43fc2df3d560bb02720053d832462df820e32a3a1370dd27d85f964e6e21c42260cd5af18e614732525f0ecc39729e0a6cd42409e9eead
-
memory/2740-0-0x0000000010000000-0x0000000010127000-memory.dmpFilesize
1.2MB