Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 06:54

General

  • Target

    89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    89abee532ab6532b360b79e2394ebb4c

  • SHA1

    39bfc7dc34e89bef2361b235bfebbe5fa92921e7

  • SHA256

    3cf70f0343ce66c1ac52b00fba64d7f319f7b728aac04705c9db2811551c2ec7

  • SHA512

    5b3b39a0ee41ec8afb1c1998334837b47b32a055694e00d946a011cde32ae6041ea1a5060870579d8f6f473bc525b2849b4833e9e89430caf0a093de5327bf6d

  • SSDEEP

    24576:ubP+DRqZVUTl1111ZN6N6N6N6N6N6N6N6N6N6N6N6N6N:4gIZS1111

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe"
      2⤵
        PID:3576
      • C:\Users\Admin\AppData\Local\Temp\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2120
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3432

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\89abee532ab6532b360b79e2394ebb4c_JaffaCakes118.exe.log

        Filesize

        313B

        MD5

        181f8ee43a58681f752dbbd9784192b2

        SHA1

        0f8f8bf12da0aba71899eb027d20c374d3c863af

        SHA256

        b87a19bc9d31616efc3ee1b3a5f8db72888ec82a9fd9cdc3b5d642f1de345e77

        SHA512

        42f7d9a88f003a3f6629648c120db7600dbd175c4b1bdb0240f6e76619566177c7a750a89ae38c97d746f13ee4bc5a6b39b7ab7f6d78fa4567e4a0b6b1a7f88d

      • memory/2120-3-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

      • memory/2120-6-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2120-7-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2120-8-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2120-10-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2120-11-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2120-12-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2748-0-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

        Filesize

        4KB

      • memory/2748-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2748-2-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB

      • memory/2748-9-0x0000000074FC0000-0x0000000075571000-memory.dmp

        Filesize

        5.7MB