Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 12:43

General

  • Target

    9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    9e3856d35e9b55d33c1c919787907044

  • SHA1

    4bcb49aceccd54aebd5a723a2cc214ad4927b282

  • SHA256

    cf85df4419807f0d65e4ea91ee1c0ada18c945750533a480b1bc57c0669ddcf1

  • SHA512

    741d24e6b32852715536df9913dfba99f88656a1374e16201a4e7c45203b75a5d2a4e5ff7d13d8cb26b0ddee197675eb55b3334648923df83bdc18bb473e452a

  • SSDEEP

    98304:aqSh5zRZwYeMMIV3PsU6Z8y6TaOphYLYSHinQpUt/YV5DyzFf:ajHYOpCm/s9y

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9e3856d35e9b55d33c1c919787907044_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\ProgramData\Чистилка\Чистилка.exe
      C:\ProgramData\Чистилка\Чистилка.exe /srvcreate
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка Uninstall.lnk

    Filesize

    1KB

    MD5

    a0245f7e9c86725051025380bce02890

    SHA1

    367f0e48444ffac11bbd714f548a2c18463b2cb7

    SHA256

    2a2724bbcccda9f1a3eeff092405812cb33c13edd2b79285a33742fc039747a6

    SHA512

    4928be758dab113ea226444b93c08d808c033ea75e11af6234ff68eb47ab52898dec649746e15870cf4e9134b6008432e56a8bb9a959094f2f9a9126ae2b3b3f

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка.lnk

    Filesize

    1KB

    MD5

    58bcddcc3eac8d42898eb18aa2e06633

    SHA1

    47d4029d6763b375b98618917cd4122f9e8d6491

    SHA256

    51a0ccabe44d754c10c390128a70f824d3da524bfc7e4bf42014a64ae81bb857

    SHA512

    202d577d42536dc1df783c3fe1199a3df621f517914baac7a211b8496b1bd2d1eeb09cfbdd986c3b89d3157270f1df77d6b2004d8d12ba57a2b5395a2d6fdf35

  • \ProgramData\Чистилка\Чистилка.exe

    Filesize

    4.3MB

    MD5

    9e3856d35e9b55d33c1c919787907044

    SHA1

    4bcb49aceccd54aebd5a723a2cc214ad4927b282

    SHA256

    cf85df4419807f0d65e4ea91ee1c0ada18c945750533a480b1bc57c0669ddcf1

    SHA512

    741d24e6b32852715536df9913dfba99f88656a1374e16201a4e7c45203b75a5d2a4e5ff7d13d8cb26b0ddee197675eb55b3334648923df83bdc18bb473e452a

  • memory/1148-39-0x0000000000090000-0x00000000004EE000-memory.dmp

    Filesize

    4.4MB

  • memory/1148-43-0x0000000000090000-0x00000000004EE000-memory.dmp

    Filesize

    4.4MB