Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 04:49

General

  • Target

    0c9f92e381709c176eb2ebd0263ac3fc_JaffaCakes118.exe

  • Size

    18KB

  • MD5

    0c9f92e381709c176eb2ebd0263ac3fc

  • SHA1

    36991426a89416bfc5b1d926a956104a1d4aded3

  • SHA256

    a4ee22697e85e57d8d8c73a278d83801022592f5ae15986a3df8ab7ad4d75ecd

  • SHA512

    d32c63c8e4161713716a5fd6820cb182e10d4a900b92cd237641630352a89a606bcec7a4a8ae7ab5feced3ca214c9929a6d5805f77e916a4cf78baa6ac22d9c5

  • SSDEEP

    384:5r3keEG5NS3aUEcIIx/j91BH/98q05xT4kstbmgzQLZk:5r3keEGLS3LEgjxV8xxT4zBmg

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c9f92e381709c176eb2ebd0263ac3fc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c9f92e381709c176eb2ebd0263ac3fc_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ufr_files\NO_PWDS_report_25-06-2024_04-49-26-NCFL.bin

    Filesize

    1KB

    MD5

    0b638179fe78027620fe2e66c5d5ef7f

    SHA1

    f7954fc01f1f376f41e063ad467667b1a6525681

    SHA256

    381741a961d996facf1e33300e1f05ce77317cc330866b64d8399d1918de6765

    SHA512

    e8ae5e23420621c955b21ce78c71c7478d9a6c3fbed65c418169479ff0843c13051f0e686a11ad909d5831ad618cd844cd610fbe4c8320bbf08d7910d560baed

  • memory/2340-0-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-5-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-15-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-19-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-20-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-22-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-23-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-30-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB