Overview

overview

9

Static

static

3

97e8516d8f...18.exe

windows7-x64

9

97e8516d8f...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    134s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    97e8516d8f563f9116c460b223e1c8a7

  • SHA1

    b041d889e23acd1632d428d49b63a16a6cd7890a

  • SHA256

    a8031971999f9b8332c545a15a0b9c0cb5eccc62ccf11d11ce280bee08c797df

  • SHA512

    d555e59a8f3833878447f125353340ed1f97963bca59cbb07ceea11a2b0a0d78ccce455179e67c360e9988126d52e2a3d4909503e32c27199d4c919339681ca6

  • SSDEEP

    24576:VQAperrOUj6k7ZqC301t/tJv0OWF0crmRMJE5+nahx:VQQk7ZxgBtFYuAmRMW5+nC

Score
9/10
collectionpersistence

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe PfFOZGIJAYdNeUFLDeL
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        - CmdLine Args
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:1616
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4740
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8
    1⤵
      PID:432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaWREOPRXWUD
      Filesize

      474KB

      MD5

      af71b0c666ff11288ed1c89e40557d68

      SHA1

      77336099fdef38214ec97b5299a92faa1f01a47d

      SHA256

      045188a402aca551111e5423b4aea3f647abe6148999a2c48590392f3a69e88c

      SHA512

      22f861dae7b9b0ab9552129fad44e035ad2229052cc403db80dc6be596668aa7f65cc95ac5ae0026017e00d03420bd3b3fc6a6b48ba9409807e335c2792af485

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeL
      Filesize

      38KB

      MD5

      a759aa534f50dedcba4f00a1055e7a23

      SHA1

      4360b142cad45cf266e27b0000d61c7a21286180

      SHA256

      ad45347ba9a6515801ebd8e4dcf54efc8d2f6397c577978d3b37154e925474d4

      SHA512

      9ead4511393ceb253308254d3852ebf4c2fe970d78a289922ae54cca718f6974f03523462d0dc685d89859b35b930abd520904d604e2bc1610138e98783bc2c4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
      Filesize

      732KB

      MD5

      71d8f6d5dc35517275bc38ebcc815f9f

      SHA1

      cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

      SHA256

      fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

      SHA512

      4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Web.txt
      Filesize

      3KB

      MD5

      b9daf88205e7429feaceda806bd561d2

      SHA1

      1893c80e74cfea9914343c6e4213393804a92dd1

      SHA256

      efa03262d4c3f5a46ab526946b8c7450d37eff4b5f8d53b43468655eea8cc027

      SHA512

      649ba70698611bd66aa91e40aaa81327a60efc098c1705729f9eb316c18e9bcca6af2363b24f8ac4aea5d25f12303833aedaada6fd26f1eebb86711a4e9baaf1

      Download Submit

    • memory/1456-23-0x00000000730F2000-0x00000000730F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1456-19-0x0000000000540000-0x00000000005BC000-memory.dmp

      Filesize

      496KB

      Download

    • memory/1456-27-0x00000000730F0000-0x00000000736A1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1456-28-0x00000000730F0000-0x00000000736A1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1456-29-0x00000000730F0000-0x00000000736A1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1456-49-0x00000000730F0000-0x00000000736A1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1456-48-0x00000000730F0000-0x00000000736A1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1456-47-0x00000000730F2000-0x00000000730F3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1616-35-0x0000000000420000-0x00000000004E9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/1616-37-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1616-34-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1616-32-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2204-17-0x0000000002630000-0x0000000002631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-38-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4740-39-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4740-46-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download