d3da8be7958933239f235fae0ab343789b55072a3d0f71f574904691e346cd2c

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
Size

309KB
MD5

0fa6056ecad4573b6606485a35bd162f
SHA1

ab36ec457c6d2b6b1afc5808f29d1ff0ee779b5b
SHA256

d3da8be7958933239f235fae0ab343789b55072a3d0f71f574904691e346cd2c
SHA512

2723008d4b6536af98ec72f3d4d6f18987ac3c3d420d917388a03b2b95a2a73e9da398f14bcac45305f80fd231205631c4cd1f4a8f678aaee3e0c411db423392
SSDEEP

6144:Fdtrmw7dQy846rYmzVZfAiRDwY9w5+pk44ZZn3G3Kyb0xbEPH:FrrHCyQrd4iFd9FC44jG3KI

Score

9^/10

collection

Malware Config

Signatures

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/memory/2956-25-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2956-21-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/2956-26-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral1/memory/1280-62-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 set thread context of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 set thread context of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 set thread context of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 set thread context of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 set thread context of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 set thread context of 1532	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	34

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
Token: SeDebugPrivilege	1280	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2956	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	28
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 2616	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	29
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 1280	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	30
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2424	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	31
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2364	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	32
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 2768	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	33
PID 1796 wrote to memory of 1532	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	34
PID 1796 wrote to memory of 1532	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	34
PID 1796 wrote to memory of 1532	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	34
PID 1796 wrote to memory of 1532	1796	0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\0fa6056ecad4573b6606485a35bd162f_JaffaCakes118.exe
  /stext C:\Users\Admin\AppData\Local\Temp\temp.txt
  2⤵
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
memory/1280-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1796-159-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-152-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-0-0x0000000000320000-0x0000000000377000-memory.dmp

Filesize
348KB

Download
memory/1796-2-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2364-111-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2616-38-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-41-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-46-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-47-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2616-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2956-8-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2956-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download