Overview

overview

7

Static

static

3

17a8208667...18.exe

windows7-x64

7

17a8208667...18.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    27-06-2024 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe

  • Size

    229KB

  • MD5

    17a8208667e746f100921b9d45c264c9

  • SHA1

    135a08bb0b340a170f426f623296c0fec969169e

  • SHA256

    1930a2efe2ab477ad2e503766ae4fbf0b15fc1fe2b76316de1b9f32793715707

  • SHA512

    2281b01c93f1823ffc5d578fff20b6a9e41bb4dd51f9bdba8620a7f0b1988305b0b74243fc2d0329ad1eaa28a590a2c6c304271731a688a520556e77d75293e5

  • SSDEEP

    3072:ebHHjm3P7BkOWWLvmxJny8HxhC2bl1DsyOrExy:ebHjCkeLvH8pbl1Yy

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\17a8208667e746f100921b9d45c264c9_JaffaCakes118.exe"
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1960
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
              PID:2080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe
        Filesize

        562KB

        MD5

        f3d5b0ccd930a881669ab75d00bfdbb1

        SHA1

        027543dfd1420d28f7311970f95ca058c3334178

        SHA256

        80835b40f115fa6176dc96d8fca3812f3451cc599d6161ad8707a9d0511b51ba

        SHA512

        11758da31ade3462acf01c86679638c4d9943b0a3822bb1849a213d2818376ca0fece2e525dbb068ce27bff48008e8915d603d058f2e2a672e97bdf753e5f355

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini
        Filesize

        9B

        MD5

        7d17b811a66f09661920bf5af1f95ae9

        SHA1

        f974fb71f0c9242357d308243f16d5509a0fb040

        SHA256

        1ffbf32a83283a76202c268eb3ea579c4b39aa6fb11fc42ad18318286fbf749c

        SHA512

        019689bb28dd360a9b3fe6696944854f806ebe877734f4f8533f7c2508d371049a96f6c7bd5dda908ab91686dbfba4a54335cbc6c4d649775e62912f0af730e3

        Download Submit

      • memory/1200-5-0x0000000002550000-0x0000000002551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2244-0-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2244-4309-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download