Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe
-
Size
992KB
-
MD5
73c81dd67773b2efa5261e20adf74a5b
-
SHA1
fde0db688d6abb4aad0bb646db9f1c192d980b5a
-
SHA256
ad32cadc3a75e969c0e8c25dfec398378aceb406017050763ce3c5d482998f42
-
SHA512
8b2483b0dedf9d6b9329202d40544291b55601518c3b14f5df764e277114ee6538bdf6d08efcb8c3dad99ac7368471354acb1bf1ecd3f7da2c072f8c5a8e24d9
-
SSDEEP
24576:8I3j32qQLhX/CUoDnbUVo2yhVx/NOMCh/zduiMxVRPXQJA:j6DhaJAMx/NOMChxp8PXg
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
resource yara_rule behavioral2/memory/4532-15-0x0000000000400000-0x00000000004B8000-memory.dmp family_masslogger -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1984 powershell.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1596 set thread context of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 4532 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 4532 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 1984 powershell.exe 1984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe Token: SeDebugPrivilege 4532 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe Token: SeDebugPrivilege 1984 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1596 wrote to memory of 4356 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 101 PID 1596 wrote to memory of 4356 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 101 PID 1596 wrote to memory of 4356 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 101 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 1596 wrote to memory of 4532 1596 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 102 PID 4532 wrote to memory of 4220 4532 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 103 PID 4532 wrote to memory of 4220 4532 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 103 PID 4532 wrote to memory of 4220 4532 73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe 103 PID 4220 wrote to memory of 1984 4220 cmd.exe 105 PID 4220 wrote to memory of 1984 4220 cmd.exe 105 PID 4220 wrote to memory of 1984 4220 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"2⤵PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe'4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\73c81dd67773b2efa5261e20adf74a5b_JaffaCakes118.exe.log
Filesize1KB
MD55200da2e50f24d5d543c3f10674acdcb
SHA1b574a3336839882d799c0a7f635ea238efb934ee
SHA256d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026
SHA51224722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82