Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 08:34
Static task
static1
Behavioral task
behavioral1
Sample
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe
-
Size
45KB
-
MD5
9123f76f8eea0532caaf7f688a648ad8
-
SHA1
f7baa0fde28b0e144539ceb0ffcace0563720971
-
SHA256
3bad41bc9d62f8f77adb5907196afbcd6255d3fd731cdbf35817ce3243cf5b8f
-
SHA512
32844f6038ee5ff5088f0f184deb318bbc8fac41e92540b0756653942ca322f8b81395d745da958164c74fe32dd8db226a2e0274147a268e2f781f78ee120c12
-
SSDEEP
768:ccBR6PwZ7UFRZa9R0wHuOviewu6gOTXx7xTDkh6W0rt5fLB8J6aL0vBYHiNG0TB:oEwu6gOzxNS6W0rtdB8JruBYHiG0F
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
HWuDiHL.exepid process 2520 HWuDiHL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Malware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\HWuDiHL.exe" 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.execsc.exedescription pid process target process PID 3040 wrote to memory of 2848 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe csc.exe PID 3040 wrote to memory of 2848 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe csc.exe PID 3040 wrote to memory of 2848 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe csc.exe PID 2848 wrote to memory of 2612 2848 csc.exe cvtres.exe PID 2848 wrote to memory of 2612 2848 csc.exe cvtres.exe PID 2848 wrote to memory of 2612 2848 csc.exe cvtres.exe PID 3040 wrote to memory of 2520 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe HWuDiHL.exe PID 3040 wrote to memory of 2520 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe HWuDiHL.exe PID 3040 wrote to memory of 2520 3040 9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe HWuDiHL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9123f76f8eea0532caaf7f688a648ad8_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdbc41zy\wdbc41zy.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25D8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC88F48E09DFB7418097E71C2373F37347.TMP"3⤵PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe"C:\Users\Admin\AppData\Local\Temp\HWuDiHL.exe"2⤵
- Executes dropped EXE
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD576bba4dc03cb86776a2459bf2d5a61b7
SHA1aaf3015888e85d60046fe0cae3bb292a7be6e22d
SHA25670a877f413cd7088816b8679d182c7ae279f44739b443636ac2c53595b3c5d19
SHA51250e3ab19f8f002c619a8bc76b15dcfab04d88338304e72e295463d41a52ec0f5af5624fa551ee694cb6a0e78687263041511324d361e97ad165b84baec85d436
-
Filesize
1KB
MD56ceec69493e440e67594c27835628186
SHA1b6978da7462c8f0ba959c8f779f5efd15410a464
SHA25667a300865ff6ea7df0794ae55d1f05e68193137293052c26cf89f25b74d56e9f
SHA512dec8c81261064f1c79b93847e65a824c8e2cd068c8cc3db750d0e06742479ace1d475265bfc1ddcf525b8ba444e34246adeb9aff23c6dcd322f1f8eb2b348a11
-
Filesize
1KB
MD582af65a7bfa25a563b875f8a4f9ef7d0
SHA109bbe433f4d38484c7b81e042d39b7899afd0b4e
SHA25636983238115a95177bb1582ebacef998c1df05cf9d1867bdd1f99bd2b693e05e
SHA5120b7bc83e6a5f08f735443d4305ff162abbcfcad4875b3a3275953a937ba9ce61ed79f474af7529c97bcb768eee480ccc5b71fd4747e91b01e165fba4b4c38276
-
Filesize
7KB
MD5e4d1e2a4c45890f54e898cefb6b1845e
SHA11051b343953ad8a06d799fd1368a8b4956028169
SHA2562074de6b935e63c02e264574caa131c16b9cccd39b3b0a3f261bff7151ae39df
SHA5123ff59388f26f7f5b02284cba0ea5883254e2fdcb754aa1b6ffb3b95c1e8fc00152d869b7606bb5d0f3b73a80e43ab6e27c26203fa95ccf7038ecccb28fe6ad4e
-
Filesize
210B
MD57f00290949a518656f0d1868ac72d614
SHA1ed1f6840d72af07755dc7898d7852a52b896c76e
SHA256908d91136e33c8b08ed01cb2c3656886e2e19d4b32032bdd0c932265d3018a71
SHA5129f736eabe2966b13e315bc3b3d5388c3193be82a77260ac3e78d391eef6d04131afd65ac432b3d980bbd4a29bc2ee65c25f069ee7a985a8fae28e3b7c04dde7c