Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 08:34

General

  • Target

    9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe

  • Size

    45KB

  • MD5

    9123f76f8eea0532caaf7f688a648ad8

  • SHA1

    f7baa0fde28b0e144539ceb0ffcace0563720971

  • SHA256

    3bad41bc9d62f8f77adb5907196afbcd6255d3fd731cdbf35817ce3243cf5b8f

  • SHA512

    32844f6038ee5ff5088f0f184deb318bbc8fac41e92540b0756653942ca322f8b81395d745da958164c74fe32dd8db226a2e0274147a268e2f781f78ee120c12

  • SSDEEP

    768:ccBR6PwZ7UFRZa9R0wHuOviewu6gOTXx7xTDkh6W0rt5fLB8J6aL0vBYHiNG0TB:oEwu6gOzxNS6W0rtdB8JruBYHiG0F

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdbc41zy\wdbc41zy.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25D8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC88F48E09DFB7418097E71C2373F37347.TMP"
        3⤵
          PID:2612
      • C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe
        "C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe"
        2⤵
        • Executes dropped EXE
        PID:2520

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe

      Filesize

      9KB

      MD5

      76bba4dc03cb86776a2459bf2d5a61b7

      SHA1

      aaf3015888e85d60046fe0cae3bb292a7be6e22d

      SHA256

      70a877f413cd7088816b8679d182c7ae279f44739b443636ac2c53595b3c5d19

      SHA512

      50e3ab19f8f002c619a8bc76b15dcfab04d88338304e72e295463d41a52ec0f5af5624fa551ee694cb6a0e78687263041511324d361e97ad165b84baec85d436

    • C:\Users\Admin\AppData\Local\Temp\RES25D8.tmp

      Filesize

      1KB

      MD5

      6ceec69493e440e67594c27835628186

      SHA1

      b6978da7462c8f0ba959c8f779f5efd15410a464

      SHA256

      67a300865ff6ea7df0794ae55d1f05e68193137293052c26cf89f25b74d56e9f

      SHA512

      dec8c81261064f1c79b93847e65a824c8e2cd068c8cc3db750d0e06742479ace1d475265bfc1ddcf525b8ba444e34246adeb9aff23c6dcd322f1f8eb2b348a11

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC88F48E09DFB7418097E71C2373F37347.TMP

      Filesize

      1KB

      MD5

      82af65a7bfa25a563b875f8a4f9ef7d0

      SHA1

      09bbe433f4d38484c7b81e042d39b7899afd0b4e

      SHA256

      36983238115a95177bb1582ebacef998c1df05cf9d1867bdd1f99bd2b693e05e

      SHA512

      0b7bc83e6a5f08f735443d4305ff162abbcfcad4875b3a3275953a937ba9ce61ed79f474af7529c97bcb768eee480ccc5b71fd4747e91b01e165fba4b4c38276

    • \??\c:\Users\Admin\AppData\Local\Temp\wdbc41zy\wdbc41zy.0.cs

      Filesize

      7KB

      MD5

      e4d1e2a4c45890f54e898cefb6b1845e

      SHA1

      1051b343953ad8a06d799fd1368a8b4956028169

      SHA256

      2074de6b935e63c02e264574caa131c16b9cccd39b3b0a3f261bff7151ae39df

      SHA512

      3ff59388f26f7f5b02284cba0ea5883254e2fdcb754aa1b6ffb3b95c1e8fc00152d869b7606bb5d0f3b73a80e43ab6e27c26203fa95ccf7038ecccb28fe6ad4e

    • \??\c:\Users\Admin\AppData\Local\Temp\wdbc41zy\wdbc41zy.cmdline

      Filesize

      210B

      MD5

      7f00290949a518656f0d1868ac72d614

      SHA1

      ed1f6840d72af07755dc7898d7852a52b896c76e

      SHA256

      908d91136e33c8b08ed01cb2c3656886e2e19d4b32032bdd0c932265d3018a71

      SHA512

      9f736eabe2966b13e315bc3b3d5388c3193be82a77260ac3e78d391eef6d04131afd65ac432b3d980bbd4a29bc2ee65c25f069ee7a985a8fae28e3b7c04dde7c

    • memory/2520-28-0x00000000011D0000-0x00000000011D8000-memory.dmp

      Filesize

      32KB

    • memory/3040-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

      Filesize

      4KB

    • memory/3040-1-0x0000000000B30000-0x0000000000B42000-memory.dmp

      Filesize

      72KB

    • memory/3040-12-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

      Filesize

      9.9MB

    • memory/3040-29-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

      Filesize

      9.9MB