Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 23:49

General

  • Target

    a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    a300c967ac1fe5443c063852aead705c

  • SHA1

    2729c7a98a38e7d14446f6b946c19a7cbba3db66

  • SHA256

    cf076dabda6a07d557f4f57f83317785840f24750eb3efb2c5cdea6db7bec9f6

  • SHA512

    941347bd445a2e10d107b60134a8408edd030e2a790108690aea64e048fc20251284eb24b53250a4ff0df2c2e437284eaffcb760291b59c77c9d075ae9cd519e

  • SSDEEP

    12288:lCrzYHUgB4ssurq8PXsSMqYO1Dil080r6VclCZ6FjTYhYwiHx9:lCrWB4ssurMSMk1DHtE6FjUhYx

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a300c967ac1fe5443c063852aead705c_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5548
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRoKoQbEDr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:5908
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp177B.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2360
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp1B83.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp177B.tmp

    Filesize

    4KB

    MD5

    cf3a1bffdc9d8c82debb6f29d9b340cd

    SHA1

    a36a4793e51bb89c84bc3629254f1b48867eb4a9

    SHA256

    c478c1b2ac1314506490e4a682c38ebaba1965c910d3bafbbd9da4b020404355

    SHA512

    77c8a1ec2743372aff2f7de9e2363e498c6a66e51b1dc23d6012c50d0e1f1f6001bfe781f49dfa636e71575f3984f46d7a44f92351aafbe1546e7c193bfe444d

  • C:\Users\Admin\AppData\Local\Temp\tmpEDAC.tmp

    Filesize

    1KB

    MD5

    d2e4ce49a4aa07a441ccb68812da48c4

    SHA1

    d9d44c223c7ab7699d896e3a18ea14f44c340791

    SHA256

    a1e24108e7dde26787697387fc419c9f35a02897898b32e21ad0c8122996c5fb

    SHA512

    94d0482e2592177af7127ac8ea94c370ff6576b7fb56f632c1f2c55a6c05fafe0abd5f08274dcc941c345c478d39ed8c00b27bbb5ee28cf31dc2813a756ce9d1

  • memory/1460-29-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1460-27-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1460-26-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1460-28-0x0000000000420000-0x00000000004E9000-memory.dmp

    Filesize

    804KB

  • memory/2360-24-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2360-15-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2360-17-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2360-18-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2548-9-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/2548-10-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/2548-12-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/2548-30-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/5548-5-0x0000000075072000-0x0000000075073000-memory.dmp

    Filesize

    4KB

  • memory/5548-13-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/5548-0-0x0000000075072000-0x0000000075073000-memory.dmp

    Filesize

    4KB

  • memory/5548-4-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/5548-3-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/5548-2-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

  • memory/5548-1-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB