Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 06:57

General

  • Target

    a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe

  • Size

    715KB

  • MD5

    a86ba7b2d74e7d734c30d96d839fa093

  • SHA1

    29ded5b62254cb3e2858953d27beb5599a451a88

  • SHA256

    16e5c3b11d202d74cc723470ce9d68e9c166ebd1d4f7bac9ab782b910d17e2dc

  • SHA512

    c873206cb541605656db650868c0f99c9717be31a79e7826e91e9775fcf807d3cb90d16604f54743e4dcd4a0e3652b3d91dae1ebf857f8d437317bfa006d43ec

  • SSDEEP

    12288:/4Vcmjo5jAHA1Gzx2I38fuglVdqz2HpBkhjr5Kq0FOt:/N2oRq4LllVAzGyjr5KFs

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe
      "C:\Users\Admin\AppData\Local\Temp/00294823/umypQ1hCsK.exe"
      2⤵
      • Executes dropped EXE
      • Drops Chrome extension
      PID:1380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\DDoMwHVj8m_.js

    Filesize

    5KB

    MD5

    a2fc8498dda3769805b3f3644d55c5cb

    SHA1

    d697d34445c2ecb5c18be6bee5769f033a370a51

    SHA256

    469c21d222d88b581ce6c6889d31f8fe9fc1fb54be764354b66df6549844f72f

    SHA512

    743b6e7e1e5e988b80f3f8065e9b33e05ce570c36c8d6a49614b7b7becda72a2cf7c119f1d8be40848abd30766e57c70a73b41da2f93a79a8a4394eef76fd944

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\background.html

    Filesize

    148B

    MD5

    69149d2f17bd339e09edde3150565e34

    SHA1

    5723aac5c7343ac8e9c5323336ad310293bb21a5

    SHA256

    0d3ca859b2a91c39d537761ef4e321d7db61bb00176aa09378f86a8bf8a6a0d5

    SHA512

    2a82b4ac5a393fa08cbc1693584f84105a72af5ccad1487b23df3938152ccb9673dbfa948a42238a13395cc308f4e1c4bfde9e5edde2fa413f0226a2251354ae

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\content.js

    Filesize

    197B

    MD5

    5f9891607f65f433b0690bae7088b2c1

    SHA1

    b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

    SHA256

    fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

    SHA512

    76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\icon48.png

    Filesize

    31KB

    MD5

    2d9fa528304f24e9cd384cf3db6fdd79

    SHA1

    1c3e8f317a4d6f7d0072d6fc11d513f57387d9ee

    SHA256

    e6fb5927cd13f2c4f3e5096f7f278dc56aece7575389a8db6efb8d85aefaba20

    SHA512

    d31a056a26b8d2a98f6f298c1ae50fe130b0c52923ebbbb8886ad54dd60ab713032f86f4337fa03874877f702578cfe856fd960aa1c480a7c5d47a21a1092339

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\lsdb.js

    Filesize

    559B

    MD5

    209b7ae0b6d8c3f9687c979d03b08089

    SHA1

    6449f8bff917115eef4e7488fae61942a869200f

    SHA256

    e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

    SHA512

    1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\manifest.json

    Filesize

    573B

    MD5

    0f0aa57fd1bded558f59162fa2f15011

    SHA1

    ad1010c0cd071bc86eb6ad660b84d961676bc211

    SHA256

    0c5efe6140a17946f1ebc4ad45cef38233860d76e7d3c71ec31ad04cfa1f8040

    SHA512

    04d67916998c6e060b524605c43eeb584a639cfce2172d6bb523b57d77e2464f69f0f203fa76fef379a7b0ceb1c609fc960a6105756d5ce9d71cd7b9f9c507a4

  • C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\sqlite.js

    Filesize

    1KB

    MD5

    d1c5ced21d976720ce2f861eb5496842

    SHA1

    f633258f024d6a430aa8f55e04d98c963c91b8b4

    SHA256

    b2b197d3014357b41c8fc2519a2af4c3b868d45a4aba0daf409ef8150ce418ea

    SHA512

    57c4b8ac6d1bf8e1dfa4dd7c275c53bfad684ef388776f96919ec3b9cc5f5eb52b693edf58c303920e022b1d1ea164f5cfa9eb5b2c4aea416e981739492fb152

  • C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.dat

    Filesize

    1008B

    MD5

    3674cc6f48edcf6409cc2cf74aeb5052

    SHA1

    2da344a23d5e1e663c836ce581ea67c11f8fc8de

    SHA256

    9575c9e27c0c351892e1e88bc4dab14f55f105b43b60a3228599c85d0189d099

    SHA512

    ef5c78aa22d9a21ed201716ffea8b669073095714e2857ce0596986b6793b270114ec1f0f13428cb78de2ec2c4f94ca78c90a7008c91bd531d440930a547a1a6

  • \Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe

    Filesize

    482KB

    MD5

    2f21b030acc94619252a33d36dc2694c

    SHA1

    82c9801ec0d132500bc823defe9aaa1b8679d198

    SHA256

    bf0a543d607d8c4f6a64ceb3a09488cfd7631191eb2c6ff6db3532ff1d34a62b

    SHA512

    27cb565725965634f7ee0b50ec1502cc188273194c4960545d503e91891d59d842d7a1c3f4b3347d501dd2e5ee89af9b148be1c7fbc6df65488a675eb42e030f