Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 03:03
General
-
Target
6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe
-
Size
8.8MB
-
MD5
6d2252d1f81e4a89059e7fbf6d4d0ecf
-
SHA1
fd182a7b2236b0bf447ac940d26b230fc75c54f3
-
SHA256
a52ba33e7b386e933d1a6ae99f257315935d4c68cd21f91e987d327683f9c990
-
SHA512
cfa5ead005026c01a3a72eca8d1a50ccce02283146f6e6ba99945d3e25879b7314a392cb342e8018b860b16dc10ff6db08168815a4fad84a49f9cb43f4676871
-
SSDEEP
196608:EwWfZ4PDKMxSIFQColSp5oNeW7f9VBQWwigouggCJEmvPjUide:1WfZ47X4QolSXglfiouggC2m4D
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 56 IoCs
-
Modifies registry class 8 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2252d1f81e4a89059e7fbf6d4d0ecf_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\GetSID.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq explorer.exe" /FO LIST /V3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq explorer.exe" /FO LIST /V4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' get sid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsr7D32.tmp"C:\Users\Admin\AppData\Local\Temp\nsr7D32.tmp" /S /UPDATE /NAME ${UppFolderName} /SID S-1-5-21-2539840389-1261165778-1087677076-1000 _?=C:\Users\Admin\AppData\Local\Temp2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc delete "0"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\sc.exesc create 39a7eed1b01781a6d51a82ee4de8f1e0 binpath= C:\Windows\system32\drivers\39a7eed1b01781a6d51a82ee4de8f1e0.sys DisplayName= 39a7eed1b01781a6d51a82ee4de8f1e0 type= kernel start= system group= PNP_TDI2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc start 39a7eed1b01781a6d51a82ee4de8f1e02⤵
- Launches sc.exe
-
-
C:\Program Files\0b3b547fd93c69f67a64b1d149c763ac\dff269b1874ee4e2fa65b26beaa5fac0.exe"C:\Program Files\0b3b547fd93c69f67a64b1d149c763ac\dff269b1874ee4e2fa65b26beaa5fac0.exe" --install2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath @('c:\program files\0b3b547fd93c69f67a64b1d149c763ac\', 'C:\Windows\System32\drivers\39a7eed1b01781a6d51a82ee4de8f1e0.sys', 'C:\Windows\90922cb71dfcba41381ba4b1ebc3b903.exe')}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\0b3b547fd93c69f67a64b1d149c763ac\dff269b1874ee4e2fa65b26beaa5fac0.exe"C:\Program Files\0b3b547fd93c69f67a64b1d149c763ac\dff269b1874ee4e2fa65b26beaa5fac0.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath @('c:\program files\0b3b547fd93c69f67a64b1d149c763ac\', 'C:\Windows\System32\drivers\39a7eed1b01781a6d51a82ee4de8f1e0.sys', 'C:\Windows\90922cb71dfcba41381ba4b1ebc3b903.exe')}"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318B
MD5e30dcd7ebbf471ece9b52809f7bf0b8f
SHA1fbcfcea872f8aa30b4802fc41c46028e8da064d5
SHA256c3738c586b10a499f7a528e6405e2309c4988d360de57f42169ca51e94537478
SHA51272d169d9506f4ff7024e79e1e5a676f5d85311bc28ca92119f83bbb761a83cc4389adb8baf8c91aa039782a4a96e5ce747bd472981a8d80e72f3fcf8c238ea79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
97KB
MD52e0785f18f8714393bc4bc1fe170eadf
SHA11efba431c0fac46c6cb6f60dc08f65a0e23ccf3d
SHA256e68d65626b24e7c1f6fbe1001f43174d0243095181025736f37ad704662f4351
SHA5128a272bb264fa066960a4f34411a81652839eccdbc6fa25be20c0b94d7d10b16cb568338abb5d1a96c155cbc4bc7923d0387fa36bed69c1021296cc6cc5fbb45e
-
Filesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
Filesize
94KB
MD59be4857761626998d1522c623058b2d0
SHA1054c7d13400117f8b4accc2cba2bca5f976baa70
SHA2568717e451286278ba07a15197f0292de2fd90487a9f78ad00b28f5d6b6ea2c8c9
SHA5128bca7b46a3f1d8b11a8690b02e3802428b310693f090a4ddfb397249b4f5ce9ff6112d0f2a85f89ac5eb75133035bcb111cac8bc6cb18ad9875d17122834d81c
-
Filesize
5KB
MD569806691d649ef1c8703fd9e29231d44
SHA1e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA5125e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb
-
Filesize
3.8MB
MD57ede9c63f9a5134eb50eb928c0c5aabf
SHA186d2cf7837cd460043835e8661ae5239c6f59fb3
SHA256fdc3ac6e64545a4d500e7649203c9fe058c571065e98ae8a0002524879ba3c77
SHA5127786a98dd74b769bae06e8679b093c134adffeb9bb29d89fc716498fcb900e000c320bfca178610126d5f6a3eeb9a450ac9ea0c8d292a7e6e01ccecd109a9389
-
Filesize
7KB
MD580e34b7f576b710d100f6e7c0bed0c2e
SHA12b5b895034d41ee0d0d01bf650594ad0d1346662
SHA256569d62345f6c915236772fa2575d1806cd2bfe089505807cb477618f1eeccf99
SHA512f5970c192b7089040fd1cf26e5cab131879b91722dff0216cdc735f9cfde1eda061409b579eb0f11e3b32e5513e34bbedd4050b75bb1b2acc81be814c2c6c59b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
840KB
MD5355c877b0a9c80d27eca9a480bf5fd5d
SHA1af1d07a1d11d7f3e24d84324cc0cf70849da9338
SHA2562e484b9053b5e155608fd10da190d4ee92c2286eea2a3f2ee6c564f24e8c1bba
SHA512b2f115824617c9c23ef9df3b89f0cba6852071cd997ecb543cf1ca9c72fdefa636a74d25393c70c4ae2f602f499d5704c0917e8036c81537f8e07f0c0ee50250
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
8KB
MD597960d7a18662dac9cd80a8c5e3c794b
SHA14c28449cefa9af46bb7a63e9b9ea66a2de0ea287
SHA256e0d1dc6e4c5cc13fb2db08fc741da0d08b315ebc8d3b53baa61552625d19b9c3
SHA5121baab7b5378f3a396b31bf63b01b7905759c9f1d17d71882af63338d64eceda1884c947d93e4d9ef911bded1ef061043c873a88b8272f1aa296731aa745e756c
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
116KB
-
Filesize
76KB
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
136KB
-
Filesize
14.1MB
-
Filesize
14.1MB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
724KB
-
Filesize
112KB