e388f211b7773443e09862bfbf2e4cd896e304ecfc0bafa73abeb646b1862baa

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
Size

4.2MB
MD5

02a3ac6f9cef56c354be8207b9ec347f
SHA1

0db68a8efb682f75a6ef53b28d9c4857b47e1cbd
SHA256

e388f211b7773443e09862bfbf2e4cd896e304ecfc0bafa73abeb646b1862baa
SHA512

c57a73691c8c36cbcba01861d28d0c917de6ca2e74098a5faab5b6611dc56d1ceea7179bc6c66238d4c3c780ab3faf770354abc892bb086c495c6473625b7885
SSDEEP

98304:BuukenKgDDMV5wFRC8RtUC2fVGM4c2f8XQQdNH76XesDGz43cm0M0dUg0a:Buuk+KjV5uRCStpSVd4c2f8gal6Xj2Xt

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2968	_2710.tmpac7d.exe
2748	securitymanager.exe
2640	Security_Monitor2012.exe

Loads dropped DLL 11 IoCs

pid	Process
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1932-0-0x0000000000400000-0x0000000000C16000-memory.dmp	upx
behavioral1/memory/1932-2-0x0000000000400000-0x0000000000C16000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Monitor 2012 Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security Monitor\\securitymanager.exe"	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Monitor 2012 Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security Monitor\\securitymanager.exe"	securitymanager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\jtm052wsucfs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe"	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security Monitor = "\"C:\\Users\\Admin\\AppData\\Roaming\\Security Monitor\\Security_Monitor2012.exe\" /STARTUP"	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.log	securitymanager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
Token: SeDebugPrivilege	2640	Security_Monitor2012.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2748	securitymanager.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2748	securitymanager.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe
2640	Security_Monitor2012.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2968	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2968	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2968	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2968	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2748	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2748	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2748	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2748	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	30
PID 1932 wrote to memory of 2640	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2640	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2640	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2640	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	31
PID 1932 wrote to memory of 2724	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2724	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2724	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2724	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2668	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2668	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2668	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	34
PID 1932 wrote to memory of 2668	1932	02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02a3ac6f9cef56c354be8207b9ec347f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\_2710.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_2710.tmpac7d.exe" -p"03:03 AM" -y -o"C:\Users\Admin\AppData\Roaming\Security Monitor"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Users\Admin\AppData\Roaming\Security Monitor\securitymanager.exe
  "C:\Users\Admin\AppData\Roaming\Security Monitor\securitymanager.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2748
- C:\Users\Admin\AppData\Roaming\Security Monitor\Security_Monitor2012.exe
  "C:\Users\Admin\AppData\Roaming\Security Monitor\Security_Monitor2012.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\Security Monitor"
  2⤵
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Security Monitor\Security_Monitor2012.exe

Filesize
2.9MB

MD5
b9b3f8ce01ef5d79d084bbc56ccb1969

SHA1
35726fc7bce6e810a1f53282831156f39e986477

SHA256
dd79ee57db4bb89242389d20296f3de910d9327eb089214d5b97746f4aa436da

SHA512
8b3663254b5221894a1cf0b0e23847e0bd0c09309f4e99bc1b1a8a3f37a2e597cd197338fa41e08cf43ffc735b241c103bf060c055cc104038a9e3c0da9b466b

Download Submit
C:\Users\Admin\AppData\Roaming\Security Monitor\securitymanager.exe

Filesize
380KB

MD5
10c41d19f89bc31444eb9965184bec12

SHA1
f74ab4cfe4846f9275abe3b9c1f969707b73dadd

SHA256
115dd58a8bf5333840f568fa7bfd98df7403a340d42ac293053c60e5c04f3183

SHA512
78344b926afa7c81eae8f82278c66a3057a742390c2551615e9ba89d6ff9e433e845f5a2bd07bdd5293d6f3cc0f1938575b8af837ddb5e081f7d2ba347fbf760

Download Submit
\Users\Admin\AppData\Local\Temp\_2710.tmpac7d.exe

Filesize
2.6MB

MD5
e72151c673615eae26b397347ab5e6d9

SHA1
a3abfd205a8fe0145df13e27499a2ab257972ec4

SHA256
7268651ac9e0bd46e13e02c73688bf61987d2e09e51e5b63590aa2efabd233c0

SHA512
055b2fb8fd2e4500b8a68776b40950d352d157fef0d7e13f81f56eecb3ffd34c632f48288ac4a591f716dbdc1319dd7dbb278f4579b838050045e1f77d3e12d4

Download Submit
memory/1932-54-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1932-0-0x0000000000400000-0x0000000000C16000-memory.dmp

Filesize
8.1MB

Download
memory/1932-5-0x0000000000401000-0x00000000007DE000-memory.dmp

Filesize
3.9MB

Download
memory/1932-2-0x0000000000400000-0x0000000000C16000-memory.dmp

Filesize
8.1MB

Download
memory/1932-1-0x0000000000D80000-0x00000000011C0000-memory.dmp

Filesize
4.2MB

Download
memory/1932-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1932-47-0x0000000000400000-0x0000000000C16000-memory.dmp

Filesize
8.1MB

Download
memory/1932-59-0x0000000000400000-0x0000000000C16000-memory.dmp

Filesize
8.1MB

Download
memory/1932-55-0x0000000000401000-0x00000000007DE000-memory.dmp

Filesize
3.9MB

Download
memory/1932-53-0x0000000000D80000-0x00000000011C0000-memory.dmp

Filesize
4.2MB

Download
memory/2640-74-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-77-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-49-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-58-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-92-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-61-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-64-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-68-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-71-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-89-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-52-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-80-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-83-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2640-86-0x0000000000400000-0x0000000001945000-memory.dmp

Filesize
21.3MB

Download
memory/2748-46-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2748-48-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download