00edbdf03b27bf63b379c087015c563871b07e2da0804d3c939c20bdf6a5e64f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe
Size

77KB
MD5

2609ac3ef3d06da4ceb703dd3206f48f
SHA1

860ab2168ce49b86e2eb9013f38fac8e13471a0e
SHA256

00edbdf03b27bf63b379c087015c563871b07e2da0804d3c939c20bdf6a5e64f
SHA512

930774ff44e2004ba134cfee70cebbbcae8cbe44621c9f0a238ce6075f98a95fdd8a8d95a284415a60828888d90d90e21b22c3747339804dc4c477bee5c77dda
SSDEEP

1536:AMXdGV7bMWWOFkV0du8uFSoyRI57ZBYIHO43Tya8g9p9d0zUe:AMXdGV7tqiY8uFHyO57ZB5z3Tyoqr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2456	datei.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2456	1904	2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe	28
PID 1904 wrote to memory of 2456	1904	2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe	28
PID 1904 wrote to memory of 2456	1904	2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe	28
PID 1904 wrote to memory of 2456	1904	2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2609ac3ef3d06da4ceb703dd3206f48f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\datei.exe
  C:\Users\Admin\AppData\Local\Temp\datei.exe /stext C:\Users\Admin\AppData\Local\Temp\text.txt
  2⤵
  - Executes dropped EXE
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\datei.exe

Filesize
35KB

MD5
90d77745113079fed0faf945c6f9c915

SHA1
793367afbb4caf0df938748e3999ab386fe1b077

SHA256
c5343f6d06b70bc2f4ce38e34934d0f6078145ab92845feecd8952a290dd8973

SHA512
81faa265b35a6fb8122ebded02b47a86f107357da2dc4673cfd4bf925e42eb83550e35368043499b290921f5e62194c9e1b5570748a9f5df65791edba72873bf

Download Submit
memory/1904-0-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

Filesize
4KB

Download
memory/1904-1-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/1904-2-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/1904-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/1904-16-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2456-9-0x0000000074841000-0x0000000074842000-memory.dmp

Filesize
4KB

Download
memory/2456-10-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-11-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-15-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-17-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2456-18-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download