Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 23:49
Static task
static1
Behavioral task
behavioral1
Sample
a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
a300c967ac1fe5443c063852aead705c
-
SHA1
2729c7a98a38e7d14446f6b946c19a7cbba3db66
-
SHA256
cf076dabda6a07d557f4f57f83317785840f24750eb3efb2c5cdea6db7bec9f6
-
SHA512
941347bd445a2e10d107b60134a8408edd030e2a790108690aea64e048fc20251284eb24b53250a4ff0df2c2e437284eaffcb760291b59c77c9d075ae9cd519e
-
SSDEEP
12288:lCrzYHUgB4ssurq8PXsSMqYO1Dil080r6VclCZ6FjTYhYwiHx9:lCrWB4ssurMSMk1DHtE6FjUhYx
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1460-26-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1460-27-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/1460-29-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2360-15-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2360-17-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2360-18-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/2360-24-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral2/memory/2360-15-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2360-17-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2360-18-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/2360-24-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1460-26-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1460-27-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/1460-29-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 bot.whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5548 set thread context of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 2548 set thread context of 2360 2548 RegAsm.exe 93 PID 2548 set thread context of 1460 2548 RegAsm.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5908 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2360 vbc.exe 2548 RegAsm.exe 2548 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe Token: SeDebugPrivilege 2548 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2548 RegAsm.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5548 wrote to memory of 5908 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 90 PID 5548 wrote to memory of 5908 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 90 PID 5548 wrote to memory of 5908 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 90 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 5548 wrote to memory of 2548 5548 a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe 92 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 2360 2548 RegAsm.exe 93 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94 PID 2548 wrote to memory of 1460 2548 RegAsm.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5548 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRoKoQbEDr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp"2⤵
- Creates scheduled task(s)
PID:5908
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp177B.tmp"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1B83.tmp"3⤵
- Accesses Microsoft Outlook accounts
PID:1460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5cf3a1bffdc9d8c82debb6f29d9b340cd
SHA1a36a4793e51bb89c84bc3629254f1b48867eb4a9
SHA256c478c1b2ac1314506490e4a682c38ebaba1965c910d3bafbbd9da4b020404355
SHA51277c8a1ec2743372aff2f7de9e2363e498c6a66e51b1dc23d6012c50d0e1f1f6001bfe781f49dfa636e71575f3984f46d7a44f92351aafbe1546e7c193bfe444d
-
Filesize
1KB
MD5d2e4ce49a4aa07a441ccb68812da48c4
SHA1d9d44c223c7ab7699d896e3a18ea14f44c340791
SHA256a1e24108e7dde26787697387fc419c9f35a02897898b32e21ad0c8122996c5fb
SHA51294d0482e2592177af7127ac8ea94c370ff6576b7fb56f632c1f2c55a6c05fafe0abd5f08274dcc941c345c478d39ed8c00b27bbb5ee28cf31dc2813a756ce9d1