Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
9c37f5a3db978eec89bb52093fc8dc49
-
SHA1
eee81df2a4f566aabb8b0f04371d43d6625a42a5
-
SHA256
6978db51fe9bdbe67032e8094b62e09c343b61311f1c72c03f0d046eba5b707a
-
SHA512
969bea417ffe3138040e796de45287de1fcaef9510c061ab2ab558a59143d8b447628afdb428cc8f66f90b3c99291694698db38fdc9fe2a49166d96a60f5adb5
-
SSDEEP
12288:GCrzY0vUzKR1Zr7UTjpJIWpdcrNS8HoFusGXnxc7xxiHH/KKvt36RuA:GCr1aKR12jztQ2qcNUH5t36RuA
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4340-26-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4340-27-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/4340-29-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4328-14-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4328-16-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4328-17-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4328-24-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4328-14-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4328-16-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4328-17-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4328-24-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4340-26-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4340-27-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/4340-29-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exeRegAsm.exedescription pid process target process PID 112 set thread context of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 3356 set thread context of 4328 3356 RegAsm.exe vbc.exe PID 3356 set thread context of 4340 3356 RegAsm.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exevbc.exeRegAsm.exepid process 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 4328 vbc.exe 3356 RegAsm.exe 3356 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe Token: SeDebugPrivilege 3356 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 3356 RegAsm.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exeRegAsm.exedescription pid process target process PID 112 wrote to memory of 1564 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 1564 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 1564 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe schtasks.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 112 wrote to memory of 3356 112 9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe RegAsm.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4328 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe PID 3356 wrote to memory of 4340 3356 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c37f5a3db978eec89bb52093fc8dc49_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zbJrFJcE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5EB.tmp"2⤵
- Creates scheduled task(s)
PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp3DE.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpC2C.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:4340
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD510fa8ec140c204486092fb161e567ec7
SHA14d63e1f8df3afefedb19df73d7ee5f3b1e7b6473
SHA2567176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04
SHA5129db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76
-
Filesize
1KB
MD59139993f9f066bc33e7998cfb1275d48
SHA1ed5ea679b4861849679134f8b514276f0927df2b
SHA2569dd3f4ae0ceab943ae8dcee359a66af77ee0ef40aa811923637e275cbb3b4205
SHA512f811ddf87abf11332137aa563851e19ff923715c834cd0388895a44dee9dce844f6aab3fbacb6e068f17bffb3330893395e06cea32c0ca2eda7f1f21964ec706