Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
24/06/2024, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe
-
Size
169KB
-
MD5
06f588f54dea668717613c4f90ad961e
-
SHA1
61ec0f1d630521855b345ce91433efbf33a95116
-
SHA256
17432d218dd35ec276a34ab7f633cd4b57051102b598cda43a81279eea8d4ba9
-
SHA512
2b350f85e861b115383950ea20302b2bd76eb5f25939eb951e42d2a8701ca610ffd5175448c15cb69d3e3bb4c01d516cc03e8d6014f45f02415ff24d381ec3ab
-
SSDEEP
3072:YGCXtAAR6rwMuw4SJkTuxCHDQbQk2S3eFDaQDdpAQ9vPN8Vd7Cap3kbu7gQZO:zCXDmwMAqCjQck5enuCvPN8VNZxkbtx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2012-1-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2280-6-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2280-7-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2280-9-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2012-20-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2808-86-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2808-85-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2808-88-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2012-89-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2012-198-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2280 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2280 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2280 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2280 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 28 PID 2012 wrote to memory of 2808 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 30 PID 2012 wrote to memory of 2808 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 30 PID 2012 wrote to memory of 2808 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 30 PID 2012 wrote to memory of 2808 2012 06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:2280
-
-
C:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\06f588f54dea668717613c4f90ad961e_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:2808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597B
MD5c03f36ac3e3a99fb1f4e1cb940317deb
SHA188dd1d46c8e6cd2f49af1c62ba22b76ced77931a
SHA256a706a91c42b4ed27fd8eaad1f3e4f9dbcc0dd09a06bc4d4e30ab7b5cc3383414
SHA5125a500689afd4ada7b3ed6b55865442658297a8ecac4f3d4708039ba46fa08863f708c193e97107b62b0cd1d1d240072be645772832b6942b0941b45b8c3072a5
-
Filesize
1KB
MD5a5d8c662e399972f2146a86f812817b4
SHA14b8e8ecea64d755c99f0127792ffdc5968b0adea
SHA2567d997340795f3dc82adef53d917d3105170eccf94bd4ff4cb7b08858541fb186
SHA512f3f007199282672f679e0cf2ffbdedcd187b5fb5bb2ad7c223b8547b952bc92e7cc116ba9cb5b02437f9dca95c8ad1fb96c17441e7b0f010ba2f111057055e3d
-
Filesize
897B
MD569fcb6e3fdb181ab60d4d3084615fcbf
SHA119ca11e390752e8a7d34cc1ee93730790cb3a3b5
SHA25659bb912a4cb4ac6f7e84105d7ff54257dc9f1fdf2e5421fb2ae206a0e859c9ae
SHA51260ac41b81f919489cf6f720e22f937876f16a0a62165149adfedfe2583cc27e95b828b129e64ec8c59f517c1fac67c57f6937dd8029b49e39aabd47ffdd0d088