Overview

overview

9

Static

static

3

97e8516d8f...18.exe

windows7-x64

9

97e8516d8f...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    97e8516d8f563f9116c460b223e1c8a7

  • SHA1

    b041d889e23acd1632d428d49b63a16a6cd7890a

  • SHA256

    a8031971999f9b8332c545a15a0b9c0cb5eccc62ccf11d11ce280bee08c797df

  • SHA512

    d555e59a8f3833878447f125353340ed1f97963bca59cbb07ceea11a2b0a0d78ccce455179e67c360e9988126d52e2a3d4909503e32c27199d4c919339681ca6

  • SSDEEP

    24576:VQAperrOUj6k7ZqC301t/tJv0OWF0crmRMJE5+nahx:VQQk7ZxgBtFYuAmRMW5+nC

Score
9/10
collectionpersistence

Malware Config

Signatures

  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe PfFOZGIJAYdNeUFLDeL
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - CmdLine Args
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:2000
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaWREOPRXWUD
    Filesize

    474KB

    MD5

    af71b0c666ff11288ed1c89e40557d68

    SHA1

    77336099fdef38214ec97b5299a92faa1f01a47d

    SHA256

    045188a402aca551111e5423b4aea3f647abe6148999a2c48590392f3a69e88c

    SHA512

    22f861dae7b9b0ab9552129fad44e035ad2229052cc403db80dc6be596668aa7f65cc95ac5ae0026017e00d03420bd3b3fc6a6b48ba9409807e335c2792af485

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeL
    Filesize

    38KB

    MD5

    a759aa534f50dedcba4f00a1055e7a23

    SHA1

    4360b142cad45cf266e27b0000d61c7a21286180

    SHA256

    ad45347ba9a6515801ebd8e4dcf54efc8d2f6397c577978d3b37154e925474d4

    SHA512

    9ead4511393ceb253308254d3852ebf4c2fe970d78a289922ae54cca718f6974f03523462d0dc685d89859b35b930abd520904d604e2bc1610138e98783bc2c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Web.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
    Filesize

    732KB

    MD5

    71d8f6d5dc35517275bc38ebcc815f9f

    SHA1

    cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

    SHA256

    fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

    SHA512

    4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

    Download Submit

  • memory/1992-19-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-56-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-50-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-40-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-42-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-46-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2000-44-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-38-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-53-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2000-52-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2340-68-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-71-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-65-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-59-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-61-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-63-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-57-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2340-69-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2592-29-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2592-28-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2592-20-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2592-37-0x0000000073DB0000-0x000000007435B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2592-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2592-22-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2592-34-0x0000000073DB2000-0x0000000073DB4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2592-73-0x0000000073DB2000-0x0000000073DB4000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2592-74-0x0000000073DB0000-0x000000007435B000-memory.dmp

    Filesize

    5.7MB

    Download