128d2d807b95f20a2659212ce274abf69601ad191d5b4298378f0b3d8b0598b3

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
Size

2.6MB
MD5

21edf50a5f6f596cfcc65441999d0851
SHA1

92252373311222381ac5d6b9094084df3ad7506e
SHA256

128d2d807b95f20a2659212ce274abf69601ad191d5b4298378f0b3d8b0598b3
SHA512

dc16f31f99ea420991a178f5f6be4fb26043cb2a8898113769c839d366b9c2795ca43dcd7fa6675a760043c45920147e4dffbfbe807b8fc91589406ee6023950
SSDEEP

49152:8YKuLKbcJTudCFFi4qJdPm5ZZeg5/bCSrlHqPz6wA7c/FiG:8YVKbndCFFi4qnm5p5WMlHqPuwtkG

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3028	_1AD2.tmpac7d.exe
2140	AntiVirus Studio 2010.exe
1008	securitycenter.exe

Loads dropped DLL 10 IoCs

pid	Process
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dnojm4wwvvol = "C:\\Users\\Admin\\AppData\\Local\\Temp\\21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe"	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiVirus = "\"C:\\Users\\Admin\\AppData\\Roaming\\AntiVirus\\AntiVirus Studio 2010.exe\" /STARTUP"	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityCenter = "C:\\Users\\Admin\\AppData\\Roaming\\AntiVirus\\securitycenter.exe"	securitycenter.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.log	securitycenter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2140	AntiVirus Studio 2010.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2140	AntiVirus Studio 2010.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2140	AntiVirus Studio 2010.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2140	AntiVirus Studio 2010.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
Token: SeDebugPrivilege	2140	AntiVirus Studio 2010.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2140	AntiVirus Studio 2010.exe
1008	securitycenter.exe
1008	securitycenter.exe
2140	AntiVirus Studio 2010.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2140	AntiVirus Studio 2010.exe
1008	securitycenter.exe
2140	AntiVirus Studio 2010.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2140	AntiVirus Studio 2010.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
1008	securitycenter.exe
1008	securitycenter.exe
1008	securitycenter.exe
1008	securitycenter.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3028	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	28
PID 2936 wrote to memory of 3028	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	28
PID 2936 wrote to memory of 3028	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	28
PID 2936 wrote to memory of 3028	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2140	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2140	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2140	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2140	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2744	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2744	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2744	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2744	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2488	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2488	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2488	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2488	2936	21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1008	2140	AntiVirus Studio 2010.exe	36
PID 2140 wrote to memory of 1008	2140	AntiVirus Studio 2010.exe	36
PID 2140 wrote to memory of 1008	2140	AntiVirus Studio 2010.exe	36
PID 2140 wrote to memory of 1008	2140	AntiVirus Studio 2010.exe	36

C:\Users\Admin\AppData\Local\Temp\21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21edf50a5f6f596cfcc65441999d0851_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\_1AD2.tmpac7d.exe
  "C:\Users\Admin\AppData\Local\Temp\_1AD2.tmpac7d.exe" -p"17:44" -y -o"C:\Users\Admin\AppData\Roaming\AntiVirus"
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Users\Admin\AppData\Roaming\AntiVirus\AntiVirus Studio 2010.exe
  "C:\Users\Admin\AppData\Roaming\AntiVirus\AntiVirus Studio 2010.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\AntiVirus\securitycenter.exe
    "C:\Users\Admin\AppData\Roaming\AntiVirus\\securitycenter.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C dir "C:\Users\Admin\AppData\Roaming\AntiVirus"
  2⤵
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AntiVirus\AntiVirus Studio 2010.exe

Filesize
1.5MB

MD5
38bf2ac07badff4ae38acd12d5e1aefd

SHA1
25baec2f9e51958a78bff4ede4860c235586c319

SHA256
bf7c8f47880f3edb94a072fc9c9942e12c13b45b6a278054a68558f20a77d272

SHA512
802da120c3517ad6e07eaa462d4df37ff75bc598a98d8fc51a822251736c205ac78828ee823610a59727dfc72bf5fa96a3cc4b72d595a70a424e24838d82b7dc

Download Submit
\Users\Admin\AppData\Local\Temp\_1AD2.tmpac7d.exe

Filesize
1.9MB

MD5
5fcac9481d8ae34ff91dc58c013c1c56

SHA1
e2ccb8b5a6e78f75b71701dd9f8c35face228c25

SHA256
d165cceaf5e8430f6d5553fddb039a0647fbbf9787f88624a0a0d22c8070c8d3

SHA512
90d5edc9802d542606967c37c0125888f4dd4e41a26b283408ecc670aa19136a831e29ad8471b02d68c34bb224ecd42ff52d1d2f2183152b9c870524e102de42

Download Submit
\Users\Admin\AppData\Roaming\AntiVirus\securitycenter.exe

Filesize
289KB

MD5
fd2e98b0654d8977c489f8c2631f53cb

SHA1
5d35b804dd530044c45b1b9bca29a0ff7ad79641

SHA256
038af11731e418fd62e30935289febd90828c2e47f5eacc463382307093fee41

SHA512
1188cbd20f9760f5167a7efcb5fb894e5cfc362230bccc3d2d8004cdd1ec134a69b10e1f7340cc3a9be1d866219fe3ecec5e75ed0d25c8de289b79173fc395b5

Download Submit
memory/1008-69-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/1008-56-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/1008-50-0x0000000000400000-0x00000000006DE000-memory.dmp

Filesize
2.9MB

Download
memory/2140-55-0x0000000000400000-0x000000000184B000-memory.dmp

Filesize
20.3MB

Download
memory/2140-71-0x0000000000400000-0x000000000184B000-memory.dmp

Filesize
20.3MB

Download
memory/2140-39-0x0000000000400000-0x000000000184B000-memory.dmp

Filesize
20.3MB

Download
memory/2140-58-0x0000000000400000-0x000000000184B000-memory.dmp

Filesize
20.3MB

Download
memory/2140-49-0x0000000000400000-0x000000000184B000-memory.dmp

Filesize
20.3MB

Download
memory/2140-52-0x0000000000400000-0x000000000184B000-memory.dmp

Filesize
20.3MB

Download
memory/2936-48-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/2936-54-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/2936-3-0x0000000000AF1000-0x0000000000AF5000-memory.dmp

Filesize
16KB

Download
memory/2936-47-0x0000000000AF1000-0x0000000000AF5000-memory.dmp

Filesize
16KB

Download
memory/2936-38-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/2936-4-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download