Malware Analysis Report

2024-11-30 05:57

Sample ID 240614-hq291ayhmf
Target a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118
SHA256 16e5c3b11d202d74cc723470ce9d68e9c166ebd1d4f7bac9ab782b910d17e2dc
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

16e5c3b11d202d74cc723470ce9d68e9c166ebd1d4f7bac9ab782b910d17e2dc

Threat Level: Shows suspicious behavior

The file a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:57

Reported

2024-06-14 06:59

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\liapedcpjfogjakipkplljngomamaiik\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/umypQ1hCsK.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe

MD5 2f21b030acc94619252a33d36dc2694c
SHA1 82c9801ec0d132500bc823defe9aaa1b8679d198
SHA256 bf0a543d607d8c4f6a64ceb3a09488cfd7631191eb2c6ff6db3532ff1d34a62b
SHA512 27cb565725965634f7ee0b50ec1502cc188273194c4960545d503e91891d59d842d7a1c3f4b3347d501dd2e5ee89af9b148be1c7fbc6df65488a675eb42e030f

C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.dat

MD5 3674cc6f48edcf6409cc2cf74aeb5052
SHA1 2da344a23d5e1e663c836ce581ea67c11f8fc8de
SHA256 9575c9e27c0c351892e1e88bc4dab14f55f105b43b60a3228599c85d0189d099
SHA512 ef5c78aa22d9a21ed201716ffea8b669073095714e2857ce0596986b6793b270114ec1f0f13428cb78de2ec2c4f94ca78c90a7008c91bd531d440930a547a1a6

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\background.html

MD5 69149d2f17bd339e09edde3150565e34
SHA1 5723aac5c7343ac8e9c5323336ad310293bb21a5
SHA256 0d3ca859b2a91c39d537761ef4e321d7db61bb00176aa09378f86a8bf8a6a0d5
SHA512 2a82b4ac5a393fa08cbc1693584f84105a72af5ccad1487b23df3938152ccb9673dbfa948a42238a13395cc308f4e1c4bfde9e5edde2fa413f0226a2251354ae

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\DDoMwHVj8m_.js

MD5 a2fc8498dda3769805b3f3644d55c5cb
SHA1 d697d34445c2ecb5c18be6bee5769f033a370a51
SHA256 469c21d222d88b581ce6c6889d31f8fe9fc1fb54be764354b66df6549844f72f
SHA512 743b6e7e1e5e988b80f3f8065e9b33e05ce570c36c8d6a49614b7b7becda72a2cf7c119f1d8be40848abd30766e57c70a73b41da2f93a79a8a4394eef76fd944

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\icon48.png

MD5 2d9fa528304f24e9cd384cf3db6fdd79
SHA1 1c3e8f317a4d6f7d0072d6fc11d513f57387d9ee
SHA256 e6fb5927cd13f2c4f3e5096f7f278dc56aece7575389a8db6efb8d85aefaba20
SHA512 d31a056a26b8d2a98f6f298c1ae50fe130b0c52923ebbbb8886ad54dd60ab713032f86f4337fa03874877f702578cfe856fd960aa1c480a7c5d47a21a1092339

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\manifest.json

MD5 0f0aa57fd1bded558f59162fa2f15011
SHA1 ad1010c0cd071bc86eb6ad660b84d961676bc211
SHA256 0c5efe6140a17946f1ebc4ad45cef38233860d76e7d3c71ec31ad04cfa1f8040
SHA512 04d67916998c6e060b524605c43eeb584a639cfce2172d6bb523b57d77e2464f69f0f203fa76fef379a7b0ceb1c609fc960a6105756d5ce9d71cd7b9f9c507a4

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\sqlite.js

MD5 d1c5ced21d976720ce2f861eb5496842
SHA1 f633258f024d6a430aa8f55e04d98c963c91b8b4
SHA256 b2b197d3014357b41c8fc2519a2af4c3b868d45a4aba0daf409ef8150ce418ea
SHA512 57c4b8ac6d1bf8e1dfa4dd7c275c53bfad684ef388776f96919ec3b9cc5f5eb52b693edf58c303920e022b1d1ea164f5cfa9eb5b2c4aea416e981739492fb152

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:57

Reported

2024-06-14 06:59

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\liapedcpjfogjakipkplljngomamaiik\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a86ba7b2d74e7d734c30d96d839fa093_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/umypQ1hCsK.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.exe

MD5 2f21b030acc94619252a33d36dc2694c
SHA1 82c9801ec0d132500bc823defe9aaa1b8679d198
SHA256 bf0a543d607d8c4f6a64ceb3a09488cfd7631191eb2c6ff6db3532ff1d34a62b
SHA512 27cb565725965634f7ee0b50ec1502cc188273194c4960545d503e91891d59d842d7a1c3f4b3347d501dd2e5ee89af9b148be1c7fbc6df65488a675eb42e030f

C:\Users\Admin\AppData\Local\Temp\00294823\umypQ1hCsK.dat

MD5 3674cc6f48edcf6409cc2cf74aeb5052
SHA1 2da344a23d5e1e663c836ce581ea67c11f8fc8de
SHA256 9575c9e27c0c351892e1e88bc4dab14f55f105b43b60a3228599c85d0189d099
SHA512 ef5c78aa22d9a21ed201716ffea8b669073095714e2857ce0596986b6793b270114ec1f0f13428cb78de2ec2c4f94ca78c90a7008c91bd531d440930a547a1a6

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\icon48.png

MD5 2d9fa528304f24e9cd384cf3db6fdd79
SHA1 1c3e8f317a4d6f7d0072d6fc11d513f57387d9ee
SHA256 e6fb5927cd13f2c4f3e5096f7f278dc56aece7575389a8db6efb8d85aefaba20
SHA512 d31a056a26b8d2a98f6f298c1ae50fe130b0c52923ebbbb8886ad54dd60ab713032f86f4337fa03874877f702578cfe856fd960aa1c480a7c5d47a21a1092339

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\DDoMwHVj8m_.js

MD5 a2fc8498dda3769805b3f3644d55c5cb
SHA1 d697d34445c2ecb5c18be6bee5769f033a370a51
SHA256 469c21d222d88b581ce6c6889d31f8fe9fc1fb54be764354b66df6549844f72f
SHA512 743b6e7e1e5e988b80f3f8065e9b33e05ce570c36c8d6a49614b7b7becda72a2cf7c119f1d8be40848abd30766e57c70a73b41da2f93a79a8a4394eef76fd944

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\background.html

MD5 69149d2f17bd339e09edde3150565e34
SHA1 5723aac5c7343ac8e9c5323336ad310293bb21a5
SHA256 0d3ca859b2a91c39d537761ef4e321d7db61bb00176aa09378f86a8bf8a6a0d5
SHA512 2a82b4ac5a393fa08cbc1693584f84105a72af5ccad1487b23df3938152ccb9673dbfa948a42238a13395cc308f4e1c4bfde9e5edde2fa413f0226a2251354ae

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\manifest.json

MD5 0f0aa57fd1bded558f59162fa2f15011
SHA1 ad1010c0cd071bc86eb6ad660b84d961676bc211
SHA256 0c5efe6140a17946f1ebc4ad45cef38233860d76e7d3c71ec31ad04cfa1f8040
SHA512 04d67916998c6e060b524605c43eeb584a639cfce2172d6bb523b57d77e2464f69f0f203fa76fef379a7b0ceb1c609fc960a6105756d5ce9d71cd7b9f9c507a4

C:\Users\Admin\AppData\Local\Temp\00294823\liapedcpjfogjakipkplljngomamaiik\sqlite.js

MD5 d1c5ced21d976720ce2f861eb5496842
SHA1 f633258f024d6a430aa8f55e04d98c963c91b8b4
SHA256 b2b197d3014357b41c8fc2519a2af4c3b868d45a4aba0daf409ef8150ce418ea
SHA512 57c4b8ac6d1bf8e1dfa4dd7c275c53bfad684ef388776f96919ec3b9cc5f5eb52b693edf58c303920e022b1d1ea164f5cfa9eb5b2c4aea416e981739492fb152