Analysis
-
max time kernel
119s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 15:46
Static task
static1
Behavioral task
behavioral1
Sample
8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe
-
Size
365KB
-
MD5
8af1ce5d6c752384f75cfcbdd64a3a0e
-
SHA1
ed0fbee2891faeaad9d00bf12db970c8631ea5df
-
SHA256
18983672df35273826ce71d6abdd66ec69f95b4b315b2e10b1d3836ee4c52ea8
-
SHA512
b6107ffe6f9c00bbf8175058c8b37f462c87428221d857a56b71c58ec27283e979d505df706ca20892413fcbfffbfa3307a9553641d2ffb2bf3b9e85cf77c1f5
-
SSDEEP
6144:Y4/aPvK/KImIOkxts7FM7hi4eqT3yd5+wBcfWFkzJe6o0G:x/AvKSImrkxkM7hPO5+wefWFk9e6
Malware Config
Signatures
-
Drops startup file 3 IoCs
Processes:
cmd.exeapp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe -
Executes dropped EXE 2 IoCs
Processes:
app.exeapp.exepid process 1956 app.exe 968 app.exe -
Loads dropped DLL 1 IoCs
Processes:
app.exepid process 1956 app.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2820-4-0x0000000000200000-0x0000000000228000-memory.dmp agile_net -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 1956 set thread context of 968 1956 app.exe app.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
app.exepid process 968 app.exe 968 app.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exeapp.exeapp.exedescription pid process Token: SeDebugPrivilege 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe Token: SeDebugPrivilege 1956 app.exe Token: SeDebugPrivilege 968 app.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
app.exepid process 968 app.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exeexplorer.exeapp.exedescription pid process target process PID 2820 wrote to memory of 2540 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe cmd.exe PID 2820 wrote to memory of 2540 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe cmd.exe PID 2820 wrote to memory of 2540 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe cmd.exe PID 2820 wrote to memory of 2540 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe cmd.exe PID 2820 wrote to memory of 2844 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe explorer.exe PID 2820 wrote to memory of 2844 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe explorer.exe PID 2820 wrote to memory of 2844 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe explorer.exe PID 2820 wrote to memory of 2844 2820 8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe explorer.exe PID 2980 wrote to memory of 1956 2980 explorer.exe app.exe PID 2980 wrote to memory of 1956 2980 explorer.exe app.exe PID 2980 wrote to memory of 1956 2980 explorer.exe app.exe PID 2980 wrote to memory of 1956 2980 explorer.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe PID 1956 wrote to memory of 968 1956 app.exe app.exe -
outlook_office_path 1 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe -
outlook_win_path 1 IoCs
Processes:
app.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 app.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\8af1ce5d6c752384f75cfcbdd64a3a0e_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exeFilesize
365KB
MD58af1ce5d6c752384f75cfcbdd64a3a0e
SHA1ed0fbee2891faeaad9d00bf12db970c8631ea5df
SHA25618983672df35273826ce71d6abdd66ec69f95b4b315b2e10b1d3836ee4c52ea8
SHA512b6107ffe6f9c00bbf8175058c8b37f462c87428221d857a56b71c58ec27283e979d505df706ca20892413fcbfffbfa3307a9553641d2ffb2bf3b9e85cf77c1f5
-
memory/968-16-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/968-36-0x0000000000360000-0x000000000036A000-memory.dmpFilesize
40KB
-
memory/968-35-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/968-31-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/968-27-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/968-23-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/968-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/968-21-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/968-18-0x0000000000080000-0x00000000000B4000-memory.dmpFilesize
208KB
-
memory/1956-13-0x0000000000250000-0x00000000002B4000-memory.dmpFilesize
400KB
-
memory/2820-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmpFilesize
4KB
-
memory/2820-10-0x0000000074E50000-0x000000007553E000-memory.dmpFilesize
6.9MB
-
memory/2820-9-0x0000000074E50000-0x000000007553E000-memory.dmpFilesize
6.9MB
-
memory/2820-8-0x0000000074E5E000-0x0000000074E5F000-memory.dmpFilesize
4KB
-
memory/2820-5-0x0000000074E50000-0x000000007553E000-memory.dmpFilesize
6.9MB
-
memory/2820-4-0x0000000000200000-0x0000000000228000-memory.dmpFilesize
160KB
-
memory/2820-3-0x0000000074E50000-0x000000007553E000-memory.dmpFilesize
6.9MB
-
memory/2820-2-0x0000000004A40000-0x0000000004AD8000-memory.dmpFilesize
608KB
-
memory/2820-1-0x0000000000F70000-0x0000000000FD4000-memory.dmpFilesize
400KB