Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    22-06-2024 13:03

General

  • Target

    02412534457a9759b5acb59976da2e79_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    02412534457a9759b5acb59976da2e79

  • SHA1

    a4be4855c69bd446d46fc4974a531130c958c4bf

  • SHA256

    61af79ddde9248dafeedb35d94a727d482c8931b4e522bd70d1d8a81de69de13

  • SHA512

    df08f1e7924102b2f0d8517592f88e282633f8dc1f4766ff3e384e1e1c16f16d573bc2e1af08e69cf7749e32c3b3d84352dc6c3dfeb26d3eeda7e670444dab18

  • SSDEEP

    6144:91OgDPdkBAFZWjadD4seHg6qZBVqJHAY0:91OgLdaIPzY0

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\02412534457a9759b5acb59976da2e79_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe
      .\setup.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Bcool\uninstall.exe

    Filesize

    46KB

    MD5

    8be20144dbd200c6de0c9430ed9280cf

    SHA1

    b81e3aacaaedd66ef0896acabc6983c94758e2b4

    SHA256

    634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6

    SHA512

    fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\bootstrap.js

    Filesize

    2KB

    MD5

    0d5806a9d0b4022b51c6cecbb376bbf0

    SHA1

    b41728d98e196ff38d95811ccb12a8f90fa36772

    SHA256

    0b22de180788ca29718e704998bcfac197d35819ac7ade6833f2a9affcac950a

    SHA512

    fdcb758763a99dd514f726aa4051fcfb171ac4d9e16022cbace6bb009057069c67412b021ed8b5f81f3244bdca5ffb57e29d16486e4abd050aa28512bc375e90

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\chrome.manifest

    Filesize

    116B

    MD5

    909f8888eb1a0e3dbaf20612552c7264

    SHA1

    15c80419a70ef5300fa19eaaaea38c9a821aa418

    SHA256

    a00c90290efa6a6d501adb804bcaca5722c6713f741f11ff6547f7ae0f1d8d12

    SHA512

    9c0e55db2eaff400e4232b07a75b772a7bff10d06dac3effefd130c46645945bb48a0865e969b38ada77224208110808d8138f116c74ad5a7fa8d49339db589d

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\content\bg.js

    Filesize

    8KB

    MD5

    31280ea25cce962cdddd6b472d667a9d

    SHA1

    91c4a4a29aef235828184a7b5626ea2e324676b0

    SHA256

    330275091c3f38219aa3523f90ecb68a7a9afb7a3eb8a61bcf7ae0c9e491e835

    SHA512

    68a4ede7afb42e86f0201d1f8f2f1c7fea9a9d7145a9f3656a4a17db3507a1fa7627318278bbdbea832df74648d4465b1f402205a114d6f212ef17752ee1231d

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\content\zy.xul

    Filesize

    225B

    MD5

    4b7ff875645966a272aaff9eca08db3d

    SHA1

    c45963632f9bff2299517778fb13d6a2b5ea942e

    SHA256

    388602380f6472fa68a7925e78016b057e01582a72f764d8e70c5ed3719bf386

    SHA512

    c45ca275e1a148a60f8819533a812633968245a0ba069a00fe26e9265d9787478e482fca2b341fb6a3485f7d9016cb4d976772432f7e58aa67608ebceb509077

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\[email protected]\install.rdf

    Filesize

    705B

    MD5

    53e63cef50ec3650a1973f9fe00487cd

    SHA1

    1c5b56545c8ed80501fd3b447d81b66f72b4c452

    SHA256

    a2f62ca6fe84c46d03a30a7807de1e2a811859b7ca8a28f2e0f14890786f44b9

    SHA512

    534dc36c1eb4cf63521ad9b312ac203d9b2ed1f355bfe525bb1cb0902c1f9863f39c1010a25206f81d60eccfcd75915e026022d19f404678371278721200b6f1

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\background.html

    Filesize

    4KB

    MD5

    8fdd3da703d4b42462ef0d067bcea821

    SHA1

    07fa10f4c9bd67e15872ada76ee361fdd8e7d601

    SHA256

    6711ff506564ef453c2107625f6fd0d600301dfc3ff57b4f99e4f01e1d6d2301

    SHA512

    9226147819219b7314265e424520b06ceda50af2b5880a2d5414b0f5e5e5978126a54ed38cc73bbf620433b90a5a83f661342f391baaba414200753a402d23c6

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\bhoclass.dll

    Filesize

    139KB

    MD5

    4b35f6c1f932f52fa9901fbc47b432df

    SHA1

    8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

    SHA256

    2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

    SHA512

    8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\content.js

    Filesize

    387B

    MD5

    8b1fc597048d42e69cb5fb65a584d692

    SHA1

    972519e7b28ecfabddaaed11254db3a365e5ad28

    SHA256

    66698572f9306dffbc63ceca591ac858db5e2af1954718376aff25dea78c2eec

    SHA512

    246358557e51a8fa93d2e73d0be1e480c4495d287f14fd0f56c1ed3fe5ea32d92dab4473d3bb8e1cadcab5e35a7fbc2adc5690ba7c2cb92eae188889f984c1c9

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\obolkfkifbgldigmdfajpgicgbffdmnj.crx

    Filesize

    3KB

    MD5

    9794d9593738a1d2e6a176a934f4874b

    SHA1

    7c1d2facf4fd77daf755036ce4deedf0da8fef51

    SHA256

    8e461dee1dc70d9632d3277cef83e2e760c005d144e2ec5dc3508bfbd16eb555

    SHA512

    c3ee3ca1e609d27cf0c514899dbc58dec9501bd6e2ce4339a920cb228d05bfa483317edae36184ff162583cc263d67b0e42716449f7c7e16564f93cf19a18d22

  • C:\Users\Admin\AppData\Local\Temp\7zSCDC.tmp\settings.ini

    Filesize

    650B

    MD5

    70f3bae144bd385a1ffc6c34636abbcc

    SHA1

    b869df29a7609069a03a529555b3e56af6a8e128

    SHA256

    1e27a51c4bf1aa2ddb45a6c4cb05170e8e7821cdbf676d3098f41816c207d915

    SHA512

    ca5ce15f84c42fe7dfc4f02062a137139c41c9b50f9382ad044c3a7328d1dad0fa8cb2d7e04350b67b1f98766da13fc0308ffc66e0fc66bc424b0f7483377091

  • \Users\Admin\AppData\Local\Temp\7zSCDC.tmp\setup.exe

    Filesize

    61KB

    MD5

    16ef6e914973925977cdc5ef6b8b2565

    SHA1

    4815da2815975b33f5dc94d482e6dbc02588afa6

    SHA256

    6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f

    SHA512

    c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059