ac0484fc0e3af9a843dc8aec1e90895ce23fdda60f31ec7bf41b9841ee8a6678

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe
Size

1.6MB
MD5

260eccfdb352060fefe17f5c0cbb60c6
SHA1

86cb0fbdd6c6e7bd9ab07d07933d162742b77cb6
SHA256

ac0484fc0e3af9a843dc8aec1e90895ce23fdda60f31ec7bf41b9841ee8a6678
SHA512

c35c48c908f27990fb3a0662f305d461f64f7c6f7dd9c853a12a144f891b9fa9bb7d9d64a738f29c9149a9e52f540abcc5215fa4ec5a98cf01f867f5736c5ca2
SSDEEP

24576:qn18+bGPMXezPedtMv68Y/qOdwa+HoaWaJvWtblDapYh9u0vh1loEgrHcMYffi:friyvHYd6oaWGu9IpYG0vnl/grWS

Score

10^/10

evasion spyware stealer

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\5445:TCP = "5445:TCP:*:Enabled:@xpsp2res.dll,-22003"	WScript.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0018000000013a44-14.dat	acprotect

Executes dropped EXE 6 IoCs

pid	Process
2424	Crypted.exe
2080	euuu .jpg.exe
2416	smss.exe
2876	smss.exe
1660	smss.exe
2044	smss.exe

Loads dropped DLL 27 IoCs

pid	Process
2424	Crypted.exe
2424	Crypted.exe
2080	euuu .jpg.exe
2080	euuu .jpg.exe
2080	euuu .jpg.exe
2080	euuu .jpg.exe
2584	WScript.exe
2604	WScript.exe
2584	WScript.exe
2584	WScript.exe
2416	smss.exe
2416	smss.exe
2416	smss.exe
2416	smss.exe
2584	WScript.exe
2584	WScript.exe
2876	smss.exe
2876	smss.exe
2876	smss.exe
2876	smss.exe
2584	WScript.exe
2584	WScript.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
1660	smss.exe
2044	smss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PIF	euuu .jpg.exe
File created	C:\Windows\PIF\reg1.reg	euuu .jpg.exe
File opened for modification	C:\Windows\PIF\reg.reg	euuu .jpg.exe
File opened for modification	C:\Windows\PIF\cmd.vbe	euuu .jpg.exe
File opened for modification	C:\Windows\PIF\smss.exe	euuu .jpg.exe
File created	C:\Windows\PIF\cmd.vbe	euuu .jpg.exe
File created	C:\Windows\PIF\AdmDll.dll	euuu .jpg.exe
File opened for modification	C:\Windows\PIF\AdmDll.dll	euuu .jpg.exe
File opened for modification	C:\Windows\PIF\reg1.reg	euuu .jpg.exe
File created	C:\Windows\PIF\reg.reg	euuu .jpg.exe
File created	C:\Windows\PIF\smss.exe	euuu .jpg.exe
File created	C:\Windows\PIF\firewall.vbe	euuu .jpg.exe
File opened for modification	C:\Windows\PIF\firewall.vbe	euuu .jpg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
2096	regedit.exe
2436	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2080	euuu .jpg.exe
Token: SeBackupPrivilege	2080	euuu .jpg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2424	Crypted.exe
2080	euuu .jpg.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2424	1560	260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe	28
PID 1560 wrote to memory of 2424	1560	260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe	28
PID 1560 wrote to memory of 2424	1560	260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe	28
PID 1560 wrote to memory of 2424	1560	260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2424 wrote to memory of 2080	2424	Crypted.exe	29
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2080 wrote to memory of 2584	2080	euuu .jpg.exe	30
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2604	2584	WScript.exe	31
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2096	2584	WScript.exe	32
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2436	2584	WScript.exe	33
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2416	2584	WScript.exe	34
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 2876	2584	WScript.exe	35
PID 2584 wrote to memory of 1660	2584	WScript.exe	36
PID 2584 wrote to memory of 1660	2584	WScript.exe	36
PID 2584 wrote to memory of 1660	2584	WScript.exe	36
PID 2584 wrote to memory of 1660	2584	WScript.exe	36
PID 2584 wrote to memory of 1660	2584	WScript.exe	36
PID 2584 wrote to memory of 1660	2584	WScript.exe	36
PID 2584 wrote to memory of 1660	2584	WScript.exe	36

C:\Users\Admin\AppData\Local\Temp\260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\260eccfdb352060fefe17f5c0cbb60c6_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\Crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Roaming\euuu .jpg.exe
    "C:\Users\Admin\AppData\Roaming\euuu .jpg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\PIF\cmd.vbe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\PIF\firewall.vbe"
        5⤵
        Modifies firewall policy service
        Loads dropped DLL
        
        PID:2604
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\regedit.exe" /s C:\Windows\PIF\reg.reg
        5⤵
        Runs .reg file with regedit
        
        PID:2096
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\regedit.exe" /s C:\Windows\PIF\reg1.reg
        5⤵
        Runs .reg file with regedit
        
        PID:2436
    - - C:\Windows\PIF\smss.exe
        
        "C:\Windows\PIF\smss.exe" /install /silence
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2416
    - - C:\Windows\PIF\smss.exe
        
        "C:\Windows\PIF\smss.exe" /pass:xplicit /port:5445 /save /silence
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2876
    - - C:\Windows\PIF\smss.exe
        
        "C:\Windows\PIF\smss.exe" /start /silence
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1660

C:\Windows\PIF\smss.exe
"C:\Windows\PIF\smss.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
1009KB

MD5
a312ed4bcd88b776a2aa22a7b488229d

SHA1
142c93daed47e7fcbde63a7df92357d7a30428fe

SHA256
290a9863fbca61b8c7d0d1b4e7301e75ec94178a71d32c9c4677dad762edd518

SHA512
ca1f6c4b9592433afa1dc5315bfe091b4a32ca43b9a922ac355a42e96dac30f7e28769f2e5e0e5060ca6d9193e90fddbf6b8b32f8758afb4e7f5b2266a44559a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbl12C7.tmp

Filesize
297KB

MD5
567c7be4f415a689939cbd63aaa7754c

SHA1
7bef5eada626168b086d9e55080c1aa7f5eefabe

SHA256
2b1c0132d0c21381538f816940709142479320cc6ef37f4ef948fde669fff486

SHA512
57659ee7a4bc3ed119e58258c3b8581cd57a536b439008a317a26958cae8c13808ea51270ca44790e63937da5b5d96bb6a3dbaeb43692c311ae19d5aa34f7fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbl12C7.tmp

Filesize
297KB

MD5
4eb9d314d1e5dea0f0b05a9ce49655e5

SHA1
f96ff2386f941f4635461264b8a9bc1b33762f5e

SHA256
30414409ef519231ef6ae02e4b228ab947164767b2419dee1cae9043246a9939

SHA512
6e152b97ce9ad9b9d0a83383c8dcf727fba29b8dbd827f29d35e332094871815fa1632a45f30df9aaf385e7172f05f99ecb02c492247be7c6e208eef3e3197ca

Download Submit
C:\Users\Admin\AppData\Roaming\euuu .jpg.exe

Filesize
470KB

MD5
6b943a7cbe33bb1fe9608aa6fdb99cc9

SHA1
1ae19d37297c872b9bc86e34bacf8a18f59bc775

SHA256
e93c6b39d09d99d9ec6adf50087afdc646341c20e8adcbdc366581a4ba0fff25

SHA512
3e9f9a2c58720ff1cdfa0f61d90c80ff53f3b8069c1609f0a7b4e145bf163dc0fb13b8dee90bb1dc87448091e154aec895a32c22a5b542b072ff193385ba1cf4

Download Submit
C:\Windows\PIF\cmd.vbe

Filesize
531B

MD5
40b7488181074032b35b36f790e3b4d7

SHA1
495fbb91d17a22a211c99ffba757c612d220fd1d

SHA256
32ff28bc0fa11dafa988824e9c02b7f52082884ac09135d440a6df135092f3aa

SHA512
0d981d4ae16a6d0712b3c583e07126f64b490c599d3bdbdf7f72016499f37b6785c1c217cb41d5854126aa0634a8a51cbf7fd4c90c875e7ac645bc33478823c4

Download Submit
C:\Windows\PIF\firewall.vbe

Filesize
267B

MD5
30088192ecd38db91bb8332e3f4cbdec

SHA1
dbd421b46a212d047eb5cbf79d233e6557feed57

SHA256
4a3a6938cb7b4501982cee517b6d21007e855c1ea4d3ffe229a44fe4facd6e8d

SHA512
cd8df66bb39e0f3d5cea106b8dd4ea34ddf562f9b828e803243b3345bea9f681fab9b02168cd264ee19ad3a9f8c41ec513ca207a320b097f9dea17b16a425b0d

Download Submit
C:\Windows\PIF\reg.reg

Filesize
828B

MD5
e483050e5285a268eeb7730eabcfa03f

SHA1
c93cb3b84db521051f713afb192987bc356bb593

SHA256
bc35a9c29f2b75aa4c42a2ac403b25f26bb93a42cf76be5d3a5674e0d9ebbe8f

SHA512
0bbb51b583af80b81184ff1d9f50601424c69012301ef5bf82d0c9cef9f2271a460abddded0639f27eef808d539dbd4619de94851a731114d20cca1e1f4ab4bb

Download Submit
C:\Windows\PIF\reg1.reg

Filesize
258B

MD5
852bca3a6be73d7ba1d0cac7c2bb5603

SHA1
a93b0be44178620a548899b42c5d304185c83a99

SHA256
31550d77b0358435287e357b84958dd1c4787e838a3cb774e0c4b410aab10ecc

SHA512
5f99803f3099d6df552793b95f7685e82d284f079733fffcd4fc8557d395d7bf985026608eea522bfef9cc99ec2cf117633d6a42f85240b13703c1c898d69c3e

Download Submit
C:\Windows\PIF\smss.exe

Filesize
240KB

MD5
58aa9c1c75bfd50fe0dd98dff7934250

SHA1
659085afa2dab8ee8abca7071e329f13b003051b

SHA256
122080d3f810d1e32206bf8dd23dee3fee26fe1ab562dff1f61acc1353a5b2ec

SHA512
02c3d9ae0c34d0155fe5b847780ab4a4045ed117df6605905e60ae23a629383e2a2c351d659278a5e728ed39a4c375db585d64e1c782d7da305ca9ded256f684

Download Submit
\Users\Admin\AppData\Local\Temp\dbl1027.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Windows\PIF\AdmDll.dll

Filesize
88KB

MD5
c915181e93fe3d4c41b1963180d3c535

SHA1
f35e66bec967d4254338a120eea8159f29c06a99

SHA256
d8fc5d545e684a4d5001004463f762d190bee478eb3a329f65998bad53d3c958

SHA512
2a5ceeb919546a713e172823da75e8f58c98c1dcedfaa7cacbd48af57bcb8da49c6289908c6c2a1bb6bda4cc7fac58adffae4a500dfe0c503397ca9aa8e92e21

Download Submit
memory/1560-18-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/1560-0-0x000007FEF595E000-0x000007FEF595F000-memory.dmp

Filesize
4KB

Download
memory/1560-3-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/1560-2-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/1560-1-0x000007FEF56A0000-0x000007FEF603D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2080-39-0x00000000008A0000-0x0000000000913000-memory.dmp

Filesize
460KB

Download
memory/2080-35-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/2080-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2080-98-0x00000000008A0000-0x0000000000913000-memory.dmp

Filesize
460KB

Download
memory/2424-16-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/2424-30-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2424-31-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/2424-22-0x0000000002A70000-0x0000000002A91000-memory.dmp

Filesize
132KB

Download
memory/2424-13-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2584-63-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2584-96-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2604-68-0x0000000000150000-0x00000000001C3000-memory.dmp

Filesize
460KB

Download
memory/2604-67-0x0000000000150000-0x00000000001C3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads