Overview

overview

10

Static

static

3

73c81dd677...18.exe

windows7-x64

10

73c81dd677...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe

  • Size

    992KB

  • MD5

    73c81dd67773b2efa5261e20adf74a5b

  • SHA1

    fde0db688d6abb4aad0bb646db9f1c192d980b5a

  • SHA256

    ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42

  • SHA512

    8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9

  • SSDEEP

    24576:8I3j32qQLhX/CUoDnbUVo2yhVx/NOMCh/zduiMxVRPXQJA:j6DhaJAMx/NOMChxp8PXg

Score
10/10
massloggerevasionspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 5 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe'
          4⤵
          • Deletes itself
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2200-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2200-1-0x0000000001130000-0x000000000122E000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/2200-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2200-3-0x00000000004A0000-0x00000000004B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2200-4-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2200-5-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2200-6-0x0000000005790000-0x000000000585A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2200-7-0x0000000000740000-0x0000000000746000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2200-8-0x0000000004E00000-0x0000000004EBC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2200-26-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-11-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-13-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-19-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-22-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-24-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-23-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-17-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-14-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-25-0x0000000001060000-0x00000000010D8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2220-9-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2220-27-0x0000000074BD0000-0x00000000752BE000-memory.dmp

    Filesize

    6.9MB

    Download