Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 12:29

General

  • Target

    1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    1b4e5eb487d966f8b446cf7effd2ac69

  • SHA1

    7e0a1b084423db665b244b8c7eade88fd99b804f

  • SHA256

    17eb7aca0b4fe76f2d5e3ea4916cf5658da5c7092f09b703c5d75da22446377c

  • SHA512

    8b3df6bdc362744d3d070553f49990e475eb387c0614f58426a033149203f83a4a176f2a7358034e6c1fe75ad8f7f0472bc4ffeea69f8b7d93daa8150d8638b4

  • SSDEEP

    24576:Wv9ZORd/2LGq3dt5Fior66tiJBcy22EMAs/3AMwNC1r3jU6zl:Wv7ORd/sGsCzN/3AM2CdQ6zl

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\43495.BAT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\SysWOW64\attrib.exe
        attrib -a -s -r -h /s /d "C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\*.*"
        3⤵
        • Views/modifies file attributes
        PID:988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\43495.BAT

    Filesize

    363B

    MD5

    1b5d074780f0e18dcfbf4c9215caee53

    SHA1

    ad34f869bab2619f3835a96ab210b8f052ee3df9

    SHA256

    484487c53324bb2c43181d4d72375a1e100cf8f9e773c4c984bd33c18e83ca3b

    SHA512

    8e06a35e13ef9b3f643defb5c769ae3dbd30383230d5b82680db9288ea63975aad3bddb18062f93f3a4d3929995326a859792707b8645be005bc1d4dd1251a1d

  • C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\bRGwF.dll

    Filesize

    365KB

    MD5

    93f850d70e7a3dfaab82cab22dd230bd

    SHA1

    818ae103e5f5f1654001b289e0aadaaac363121e

    SHA256

    b8f05f1e3d8f2387abddddc06219036df02381ad5716ec41ccf0b05aaab94d37

    SHA512

    e93ae2987fc277cb44f7d949339330df2f7ee6f43346bd573150baaf82e676f75f97d2ed3f296545b1fb8650b128ae837b473ebff1924784b3fd938ef421a4b8

  • C:\Users\Admin\AppData\Local\Temp\1b4e5eb487d966f8b446cf7effd2ac69_JaffaCakes118.68911\iext.fnr

    Filesize

    74KB

    MD5

    37adc90bb984551751410d9e4012721b

    SHA1

    c1834985a3c52faf383d35e483644b116cadf706

    SHA256

    7ef60380175aaf88552343f8068f58e7d7fa3e4285ca3ef10ccdbc4e60b7978b

    SHA512

    618de79dc8fb1789a5e80d79a868b9c8d8f4212beff8a7c84cfbe433bc36b59f1a7baf9f8e7f8398b2d69fe461047557cc0b078a75fcdab172569e9846cc7be6

  • memory/232-1-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/232-5-0x0000000010000000-0x000000001018A000-memory.dmp

    Filesize

    1.5MB

  • memory/232-12-0x00000000023F0000-0x0000000002436000-memory.dmp

    Filesize

    280KB

  • memory/232-13-0x00000000023F0000-0x0000000002436000-memory.dmp

    Filesize

    280KB

  • memory/232-14-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/232-16-0x0000000010000000-0x000000001018A000-memory.dmp

    Filesize

    1.5MB

  • memory/232-21-0x0000000010000000-0x000000001018A000-memory.dmp

    Filesize

    1.5MB