Analysis

  • max time kernel
    136s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 12:48

General

  • Target

    02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe

  • Size

    313KB

  • MD5

    02306ba42b99838a7e39a1b88ec32aa6

  • SHA1

    413754afb7073491bb026e7e18abe5e29a637bfa

  • SHA256

    0ce879031b2a31168acaf5d0994fcc1c83e53b2af70e21e5d00298f5de1a8beb

  • SHA512

    ca841f12b12646e036d65e2d85e8bec2c52a857e678eb6367d952b97c2aa22a361e229591a6198450ae17d2157594b873391d92ff93927d4952f3ef368ff0e67

  • SSDEEP

    6144:91OgDPdkBAFZWjadD4sUOKRDW7V5eRLUhweUAa8m0ydtRgkVjcWk+6:91OgLdaBniXeRada8PcHVjW+6

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\02306ba42b99838a7e39a1b88ec32aa6_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe
      .\setup.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:3656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Bcool\uninstall.exe

    Filesize

    46KB

    MD5

    2628f4240552cc3b2ba04ee51078ae0c

    SHA1

    5b0cca662149240d1fd4354beac1338e97e334ea

    SHA256

    03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

    SHA512

    6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\chrome.manifest

    Filesize

    114B

    MD5

    44074ed0cf78932fdc674867cfe1314a

    SHA1

    6ec9857924b82227a64b6934c7798098cddd0e2b

    SHA256

    de47b694c9b94d945f18ac04a85269100203bb52144b79e213f61798ed583911

    SHA512

    1ccb18bb816897000d7d9561efabea6e8f0ab91cfc3a78e7f67a9d4e651008d21e5fcea17ba2c57e478e39b6e5cfc101851e2ace92e9d82c21443b04de86747e

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\indexeddb.js

    Filesize

    1KB

    MD5

    041d5a4c75079646210f6c8938952559

    SHA1

    d8b22b144ebdf398b25b09e8ce3a39bc6e3e9fb0

    SHA256

    3edf03344a37506739082b302b30f1403150b69d50ba6a1bf866e672bc97d656

    SHA512

    36fdbf01b9791585b98ba88b2bb5ca4cfe393d4e9345f4c56fef9428a2a139c92746724665ed496acc62894e15db2267062e6c4428bc34401dd05663b48cf113

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\jquery.js

    Filesize

    91KB

    MD5

    4bab8348a52d17428f684ad1ec3a427e

    SHA1

    56c912a8c8561070aee7b9808c5f3b2abec40063

    SHA256

    3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

    SHA512

    a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\jsext.js

    Filesize

    6KB

    MD5

    ee22556b46701f7d0e010b610eda28a7

    SHA1

    fd40a0b7c5aa4405353a0e8af8e854d1fc52146d

    SHA256

    81a818fee692ce8a8f9da3791de519f4771cd97db45ea1f74672425e82680d89

    SHA512

    34a8705ce8e3c87b83e5c404bd54cd600e54ba3df1f7617557cdf2f9bf63428cbdffb6e435648e9e920bdc26200b952b73580283c5188b8a2307e6dde852ca1c

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\lsdb.js

    Filesize

    1KB

    MD5

    e213d08df4ed01b9b9fec0bba6de98bd

    SHA1

    2e15a5c012e57172bfe28f86e99e53af42a1df7e

    SHA256

    e635e9694bf6605d88fdb50191c1d1b9991c0597f079cebc3b5d71c7ac712e9f

    SHA512

    06bcb850997e65be55210181795316b31c61b3c99565794c68d823093aff4e6b3b20da84ae557fcd121c9ba5a2cd433ed161c00614594c02a825430bd0d0f0f8

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\prfdb.js

    Filesize

    1KB

    MD5

    49a2b9dba3a6b008ec0fccdd44ec3aa4

    SHA1

    4ed5a0fa7226531a3c2560fd2a13b45812b371a4

    SHA256

    ffc1029d09018b7a011965ef1a956d93f8b3e8a2045f15e2b59de8625884c2bf

    SHA512

    f2d0ddfac872b9ee828fcfff1f2e08f33d45a7a0b97b9ea0b1edeee9e3660f895527613b64cdc41c9876e9005a8788b140499e9aa808336ab8cccae02c2ca93c

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\sqlite.js

    Filesize

    1KB

    MD5

    77215a36dfb962f0c948f7394eaeada3

    SHA1

    612721d569da4012cebcb24db3b2a5fad1f28de5

    SHA256

    e807eae5da5097abf5b6a143c93e9f88d17dedd504809baf38cd6a83b0e1e304

    SHA512

    62fe20a85b2215115947e85e8e95177170f5a316dfec4b593f04ecdba00cffccf4c2fd595cd4e50eec36db24a5356fbb7e8254dbe9718d103c721ab92e63068d

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\content\wx.xul

    Filesize

    228B

    MD5

    cf63313887bf2a6ba3d515d4b5770ccb

    SHA1

    87feb69adfd194a6d54997e883c1fad06550a1b1

    SHA256

    7c1555b1fa1985dae1a2c255909db0ab656b297d71a62bb3013b7d195c96ca0b

    SHA512

    dba3e8b80041a942fb7e11aaab1b8183eea9981a448f80fdde8b1f27c41a20f2a8d801f2c80ebc99fa0950c26a48553ab90234a5d195f4d0c0540c3e420905b3

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\[email protected]\install.rdf

    Filesize

    668B

    MD5

    138fc75ea0e455a1b49a67f5dc69cd5f

    SHA1

    49415c85830ea7a6c72ecd7e1db182b8510d5fb2

    SHA256

    e108624a8fd3e580da0172eb1c3b4a858fcc842eb672c18129835783de5cce90

    SHA512

    85cf99646b241df94fc5eabfba794b0e23308f148aefaf4c6ec66b615ed73a4970f66cd10a9b49b8a5d8b51f9a5a4f826110b86ab3e57668769595160bb2e470

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\background.html

    Filesize

    5KB

    MD5

    59d44d8ff64d3122bba7e125374c2773

    SHA1

    b3606b42139b83445a0c2d71b984a998dfaef2e7

    SHA256

    5aea39aaa54beed9c2ba0b7be83e13f3dd18e420e1d46feb6a822a0a4b350b55

    SHA512

    cdaa420e03528b113e6948a40355609ddbda4b7fa4fc05a8d14b75441ee0277e1416774f8c2f2bdcd687f4ac2bbde81c7b508949527ff032403956970d497545

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\bhoclass.dll

    Filesize

    137KB

    MD5

    ac13c733379328f86568f6e514c2f7f8

    SHA1

    338901240fedcef4e3892fd4c723c89154f4de05

    SHA256

    7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

    SHA512

    35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\content.js

    Filesize

    387B

    MD5

    ba5b6993530b6066c14d7d2327960b67

    SHA1

    cfcf80e24500180d7595f394d987a1ce253a3d29

    SHA256

    0ae5db773548890af4344ac3252c801f79897b25411f5b3ec768eaaf0448adb8

    SHA512

    ae51810defe182197ea44be10b2c872a174f705c3805fa1e00ca0b74c95cf0d846ae3932818a7593997c835fe3cdb2fdd8890ee7e7b802ae015a5e3ea619c6df

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\mhokfpodlphpfflnebofbgcoohgdheog.crx

    Filesize

    37KB

    MD5

    fac78659f8338442899bede62ef75e56

    SHA1

    6dda2e53588be1c2974382635cf45fcdd374a29b

    SHA256

    fd56b7fd4c90cce209da855127d1b547642771e928b7b147273ac0ef4c5c7873

    SHA512

    92b7882c04e2103bf44205a659bededecabba575b65d82278552da218d4d5014c762958764b96f51cd4b289232133b01a09166fbcbe9643d6443d52fe034284d

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\settings.ini

    Filesize

    593B

    MD5

    adb3f14b89cf23fcb80ddcb3f65f88d3

    SHA1

    677c54823bc8f2e91f4470f9c20e23e34e02e0f6

    SHA256

    d3ed8c0d638fde5fcae7171c9ec768accd636d8b8853db5ad751cd059df24cc8

    SHA512

    3a1ea028acc61477b81c2db3788fc7583aa5c23bb0f21549769484a6bd52916cf3f075332f00010f46ccc0c9fe432de4b7aa8ca9fe22296225ddcd529233d7ea

  • C:\Users\Admin\AppData\Local\Temp\7zS57F3.tmp\setup.exe

    Filesize

    61KB

    MD5

    201d2311011ffdf6c762fd46cdeb52ab

    SHA1

    65c474ca42a337745e288be0e21f43ceaafd5efe

    SHA256

    15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

    SHA512

    235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b