Malware Analysis Report

2024-10-10 12:08

Sample ID 240613-q611wawbkl
Target a5e253bea590628a79f279952d774138_JaffaCakes118
SHA256 559d87ca5367eac152b1a179e44de6dd1e07b8dbaeaaf9cd3823e5601a0381d1
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

559d87ca5367eac152b1a179e44de6dd1e07b8dbaeaaf9cd3823e5601a0381d1

Threat Level: Shows suspicious behavior

The file a5e253bea590628a79f279952d774138_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:53

Reported

2024-06-13 13:55

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.exe N/A
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.exe

"C:\Users\Admin\AppData\Local\Temp/0a4b2514/vxKjVI3i.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.exe

MD5 0920b67a31662468e9eafdb6d9bc0f72
SHA1 3ca4031563a9844ff9d10d745d5365a902f556f8
SHA256 70ff83a4291e85aeac5037e92e8d743fbd63ed8d3dd72f436e0400e341f7ca65
SHA512 a8c0022e13f55a62d7f2b9e186aa67d2dcb4636faf6c8a5afcddf7c28aaa87c87d1bb7e64abbeb75c0c065fec7c41ebd4792f6405e4563303ffa51d79b7f41ea

C:\Users\Admin\AppData\Local\Temp\0a4b2514\vxKjVI3i.dat

MD5 30970d73f6b8ddec17d1eb0edecf0dcd
SHA1 8c3cc046d2074504b4122670845c945c074315dc
SHA256 fae332f73966df6488a2ba33d8792ee59b780866ae89fd204acb54efbdb1f2d6
SHA512 a77c4cfdb672630dd674da3ee38d19c5323ac8f376c10a7af4a39928450a76111451dda2fbdb0ed1050be54a60c793b8a8293cef7f01dcc19bc0350c2115dc0e

C:\Users\Admin\AppData\Local\Temp\0a4b2514\bcgfamhbionkbpcapdgknaecfcjlmjgk\background.html

MD5 84b8fec6b3d29df13fdfa2003016ba2b
SHA1 67952ed5773745eea36b248fb50b342e374ee929
SHA256 95597245bc0d71aa8a87c2131fc8fa1df8e799f4be63e6cc030b7ae3d73b4b7e
SHA512 463a2eae5b4be9bcb183194b10272bf9401d33608b36fd254239e23805651b16e3168a7ac43a3e0d8bafaf79ad7df3c4f870e5eeb4ca88f02dba69282b9a867c

C:\Users\Admin\AppData\Local\Temp\0a4b2514\bcgfamhbionkbpcapdgknaecfcjlmjgk\content.js

MD5 dbd727a2a1d1df3aed6c5405a5c977e5
SHA1 fde242f7daf8244f6374c1a11938de97afb34434
SHA256 f64806e6e773bad1b7106ef9f77a0de517d4052843eeb55efb86d24eaa99803d
SHA512 2dc899b240bdb82a4e6db8edb7bd655623d67fbbc43927da15af5bfcae5a5a4de3cd292047a4e77b8850ee9fce37aee639b3a7c14ee7d663d4f400584bd556f6

C:\Users\Admin\AppData\Local\Temp\0a4b2514\bcgfamhbionkbpcapdgknaecfcjlmjgk\lsdb.js

MD5 cbda098bd1697f1905b3f775e01a3546
SHA1 91f4421ef14d80f81765796d154b4ca9ad708bb3
SHA256 85b308b1824950c417466900fd4907b44cdc9ca24bda04fca39d760f3f1aad81
SHA512 b0aaff934ee39578aef92d10767d04eb0a8d9967518757161cfab7058984cd7b203eea563ebc21fbdb0e609e32e668149a72f3612fe316f5e017b77adc1f23f2

C:\Users\Admin\AppData\Local\Temp\0a4b2514\bcgfamhbionkbpcapdgknaecfcjlmjgk\manifest.json

MD5 a43145217bd7cf15cc6af7e5fc2b3312
SHA1 0589c6ae194583de25b9629f918be65f458a2160
SHA256 98bf341a7b139a21ff4640d195050d5e1830802129fa0e6ae3f9979b0b3c6337
SHA512 a405a10b986dc789da23518ced983ed1b549d45b2ffeef2bed0c36786d6f85444b79e2e094567a7894817bab820999aca79886fdec99241f0d96ba8f7913d869

C:\Users\Admin\AppData\Local\Temp\0a4b2514\bcgfamhbionkbpcapdgknaecfcjlmjgk\VgYX3CZjD.js

MD5 a2ca2155cb59a9872a4d5e875189295d
SHA1 18ffed0af892f38000147251d262ff7d414c8ed3
SHA256 1c1372e520d90eaac2efd4949558f6729355ea96e7be53a4074a87c8e84ecd2a
SHA512 46adedb1633d1ddda82af09a849673924e39f06743a4df92c3c70456864aba920113909e6d46d506d4067b88ea8221ac5c3fee624cbca24c0c6b701ae2528046

C:\Users\Admin\AppData\Local\Temp\0a4b2514\[email protected]\chrome.manifest

MD5 f78726514ecfbe04ebd2730cab30e2ff
SHA1 34c2d3acb433b4091677cf59b912f4272dc4b9a9
SHA256 22e17e79366c1351a0b1dc1f0eb35d55e6bc750250f6aa173ed0d6e31ef5c8e1
SHA512 2862a86593a0bd6adf364c87e4cb6402bc40e0bb8835ef4765ecb74cf606aa6fa35f6963404d19c670b8c0a315b72219ee18e72be7335884707118d8e0513184

C:\Users\Admin\AppData\Local\Temp\0a4b2514\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\0a4b2514\[email protected]\install.rdf

MD5 a33d7124d5e6b12b531823696d7f521a
SHA1 8e10906089049f2143653b6f2a38fc90a1282acd
SHA256 1d1cfeb7a3b6891dcee420c1f139bbaa860de708b27819f3f9e11eabe117e131
SHA512 4f73324bf7bbe33feac473d16d01b8281f2604b693868d6492ffd0d575687c48ea5f5e4df6ba44c85d5505bff32d0ad8aa4ba515ba68f66dca875e5107f9d8cf

C:\Users\Admin\AppData\Local\Temp\0a4b2514\[email protected]\content\bg.js

MD5 6c6ef6ae926454b89a62f13e85406c84
SHA1 21cfff87473223fdb0ba1fd1d040e087c992c77b
SHA256 fa8ad1c11729ebb4e82fcef4c0bd472e78fa12140a4ce72304fd5256c8a5d031
SHA512 09c0187de821224c61db7778537d794abbdf8c161d781a5f98cb0480afbb07b29bb6271a3dcdb0e58611489fcfd6c06324f4284bfdb364b200510f6bb83d8fb9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:53

Reported

2024-06-13 13:55

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe N/A
File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe N/A
File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5e253bea590628a79f279952d774138_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe

"C:\Users\Admin\AppData\Local\Temp/290e71f3/vxKjVI3i.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.exe

MD5 0920b67a31662468e9eafdb6d9bc0f72
SHA1 3ca4031563a9844ff9d10d745d5365a902f556f8
SHA256 70ff83a4291e85aeac5037e92e8d743fbd63ed8d3dd72f436e0400e341f7ca65
SHA512 a8c0022e13f55a62d7f2b9e186aa67d2dcb4636faf6c8a5afcddf7c28aaa87c87d1bb7e64abbeb75c0c065fec7c41ebd4792f6405e4563303ffa51d79b7f41ea

C:\Users\Admin\AppData\Local\Temp\290e71f3\vxKjVI3i.dat

MD5 30970d73f6b8ddec17d1eb0edecf0dcd
SHA1 8c3cc046d2074504b4122670845c945c074315dc
SHA256 fae332f73966df6488a2ba33d8792ee59b780866ae89fd204acb54efbdb1f2d6
SHA512 a77c4cfdb672630dd674da3ee38d19c5323ac8f376c10a7af4a39928450a76111451dda2fbdb0ed1050be54a60c793b8a8293cef7f01dcc19bc0350c2115dc0e

C:\Users\Admin\AppData\Local\Temp\290e71f3\bcgfamhbionkbpcapdgknaecfcjlmjgk\background.html

MD5 84b8fec6b3d29df13fdfa2003016ba2b
SHA1 67952ed5773745eea36b248fb50b342e374ee929
SHA256 95597245bc0d71aa8a87c2131fc8fa1df8e799f4be63e6cc030b7ae3d73b4b7e
SHA512 463a2eae5b4be9bcb183194b10272bf9401d33608b36fd254239e23805651b16e3168a7ac43a3e0d8bafaf79ad7df3c4f870e5eeb4ca88f02dba69282b9a867c

C:\Users\Admin\AppData\Local\Temp\290e71f3\bcgfamhbionkbpcapdgknaecfcjlmjgk\content.js

MD5 dbd727a2a1d1df3aed6c5405a5c977e5
SHA1 fde242f7daf8244f6374c1a11938de97afb34434
SHA256 f64806e6e773bad1b7106ef9f77a0de517d4052843eeb55efb86d24eaa99803d
SHA512 2dc899b240bdb82a4e6db8edb7bd655623d67fbbc43927da15af5bfcae5a5a4de3cd292047a4e77b8850ee9fce37aee639b3a7c14ee7d663d4f400584bd556f6

C:\Users\Admin\AppData\Local\Temp\290e71f3\bcgfamhbionkbpcapdgknaecfcjlmjgk\lsdb.js

MD5 cbda098bd1697f1905b3f775e01a3546
SHA1 91f4421ef14d80f81765796d154b4ca9ad708bb3
SHA256 85b308b1824950c417466900fd4907b44cdc9ca24bda04fca39d760f3f1aad81
SHA512 b0aaff934ee39578aef92d10767d04eb0a8d9967518757161cfab7058984cd7b203eea563ebc21fbdb0e609e32e668149a72f3612fe316f5e017b77adc1f23f2

C:\Users\Admin\AppData\Local\Temp\290e71f3\bcgfamhbionkbpcapdgknaecfcjlmjgk\manifest.json

MD5 a43145217bd7cf15cc6af7e5fc2b3312
SHA1 0589c6ae194583de25b9629f918be65f458a2160
SHA256 98bf341a7b139a21ff4640d195050d5e1830802129fa0e6ae3f9979b0b3c6337
SHA512 a405a10b986dc789da23518ced983ed1b549d45b2ffeef2bed0c36786d6f85444b79e2e094567a7894817bab820999aca79886fdec99241f0d96ba8f7913d869

C:\Users\Admin\AppData\Local\Temp\290e71f3\bcgfamhbionkbpcapdgknaecfcjlmjgk\VgYX3CZjD.js

MD5 a2ca2155cb59a9872a4d5e875189295d
SHA1 18ffed0af892f38000147251d262ff7d414c8ed3
SHA256 1c1372e520d90eaac2efd4949558f6729355ea96e7be53a4074a87c8e84ecd2a
SHA512 46adedb1633d1ddda82af09a849673924e39f06743a4df92c3c70456864aba920113909e6d46d506d4067b88ea8221ac5c3fee624cbca24c0c6b701ae2528046

C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\VgYX3CZjD.js

MD5 e691afb65efe012047f19ac4e255dd75
SHA1 561de0ef0e96b803772e11717f7566806b53fe13
SHA256 defd134facb984a3d519a5506b9497a57cebfa1b54aab0b54b6db75b34ad24d4
SHA512 04d022ab54ffc0569117e8e910dffe4345c77dce1bf2faf681e627842d65f371240bedd117f53048903e833a75d8d78028f24ce23b2928eeffa63b2c94d4c4cd

C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\manifest.json

MD5 6112c38d0d9a271ef0fc2c7d48c6b6af
SHA1 9f8bbe60dbd78699094c1b132bfa796180f959d0
SHA256 7735cd372e59cc8010da46299e25b0d752a62c80951a76a7b12595aef4d8c181
SHA512 e46ff84d87570475259544ed5dd215e718eafde29ca57d7342acf5ec8a51b95213696fd6c849cf25d14f70cef290135ea159a4491940db47111fa15e937ac118

C:\Users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\bcgfamhbionkbpcapdgknaecfcjlmjgk\5.14\lsdb.js

MD5 901bd51ae1704f55806d174122d5f0c9
SHA1 b72c4bf7a0e6b66fa5362171d3ac617900ee0435
SHA256 d0b1b323ff366f7520119d5814a207af93057bd9ce2b165267d73bca60b825b0
SHA512 96e0f085a4ef2cbd7756d1d7ce1def3cde9bcfd33efdd69bfbff4d6aa31128218ecc459dfc8e7556c23254af92e29ff29983df83e214f08a0b49448d3c2b9309

C:\Users\Admin\AppData\Local\Temp\290e71f3\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\290e71f3\[email protected]\content\bg.js

MD5 6c6ef6ae926454b89a62f13e85406c84
SHA1 21cfff87473223fdb0ba1fd1d040e087c992c77b
SHA256 fa8ad1c11729ebb4e82fcef4c0bd472e78fa12140a4ce72304fd5256c8a5d031
SHA512 09c0187de821224c61db7778537d794abbdf8c161d781a5f98cb0480afbb07b29bb6271a3dcdb0e58611489fcfd6c06324f4284bfdb364b200510f6bb83d8fb9

C:\Users\Admin\AppData\Local\Temp\290e71f3\[email protected]\chrome.manifest

MD5 f78726514ecfbe04ebd2730cab30e2ff
SHA1 34c2d3acb433b4091677cf59b912f4272dc4b9a9
SHA256 22e17e79366c1351a0b1dc1f0eb35d55e6bc750250f6aa173ed0d6e31ef5c8e1
SHA512 2862a86593a0bd6adf364c87e4cb6402bc40e0bb8835ef4765ecb74cf606aa6fa35f6963404d19c670b8c0a315b72219ee18e72be7335884707118d8e0513184

C:\Users\Admin\AppData\Local\Temp\290e71f3\[email protected]\install.rdf

MD5 a33d7124d5e6b12b531823696d7f521a
SHA1 8e10906089049f2143653b6f2a38fc90a1282acd
SHA256 1d1cfeb7a3b6891dcee420c1f139bbaa860de708b27819f3f9e11eabe117e131
SHA512 4f73324bf7bbe33feac473d16d01b8281f2604b693868d6492ffd0d575687c48ea5f5e4df6ba44c85d5505bff32d0ad8aa4ba515ba68f66dca875e5107f9d8cf