b67f4f25d5d2ed6c605ca204f28d94c0364e858e09539d9608a6e61452939f15

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe
Size

591KB
MD5

020ebc6458731ea5132990ba59516bfb
SHA1

48293e02e8efcc4db69c0440f3fd3bd45fc9817f
SHA256

b67f4f25d5d2ed6c605ca204f28d94c0364e858e09539d9608a6e61452939f15
SHA512

dd48d851cd3d59f372e4ed673d5fff1bd8b7be703338568ea414f36d7023c67df93ecf9ebf550185089ce6cc13d65a885ee5b8cfd9b802f6704e8d00bc1f9233
SSDEEP

12288:j862Oi5XQhEeZHauP0MbadCGA7yeREK14sCbWFL2oQ2PXVo8C:j862Oi5XQhEeZHNbadWye74sCbjmC

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1436 wrote to memory of 1144	1436	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	80
PID 1144 wrote to memory of 2016	1144	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	87
PID 1144 wrote to memory of 2016	1144	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	87
PID 1144 wrote to memory of 2016	1144	020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\020ebc6458731ea5132990ba59516bfb_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\125.bat
    3⤵
    PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\125.bat

Filesize
175B

MD5
855ca4b669284bfe3072ccb35f99700e

SHA1
2b4e5815096ac9da5cf7742b87ad4ece4b331857

SHA256
ed7ba78f3918512fef821df109e172faff5599491cb364c1ffb96f9c2d76c95d

SHA512
e558fc90d36bae763afc605a1d28d73438a533cb2d74a436ebf177a31676c7bea240d841b0d8f95b9d43f405967b22317223f55b8a0f9d03f79c93a33b654349

Download Submit
C:\Users\Admin\AppData\Local\Temp\63485.exe

Filesize
591KB

MD5
020ebc6458731ea5132990ba59516bfb

SHA1
48293e02e8efcc4db69c0440f3fd3bd45fc9817f

SHA256
b67f4f25d5d2ed6c605ca204f28d94c0364e858e09539d9608a6e61452939f15

SHA512
dd48d851cd3d59f372e4ed673d5fff1bd8b7be703338568ea414f36d7023c67df93ecf9ebf550185089ce6cc13d65a885ee5b8cfd9b802f6704e8d00bc1f9233

Download Submit
memory/1144-0-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-2-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-3-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-4-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-13-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-14-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download