13a3581a37706be4f1981aca5698e17148a0c72936349764a7588f58f5bb2cf7

Analysis

max time kernel
143s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 09:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
Size

191KB
MD5

2bc85ec3e2af255b36a3dbef4fb571dc
SHA1

17498d068aa728382146f856b3ed157f4016d660
SHA256

13a3581a37706be4f1981aca5698e17148a0c72936349764a7588f58f5bb2cf7
SHA512

16cd93da5720aa01ce26c9081eac4b00bbe224314ba690106d045be1a4bc6ae739be4adc78f8d3fa70c84f42b556ddfc27a3a9ab6e39aa9ae2a5bb619894ad9b
SSDEEP

3072:iDm8eGKHNU7haVnJWfqE7YFwsYx5mSnV19/kaUaq7oq2mrBYRwEE0yAEHB3t:iDmGMSQdqNYF5YxN1CTaq7woewEo

Score

10^/10

persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe"	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4072-1-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4072-2-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3940-13-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3940-12-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4072-49-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3368-117-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/3368-116-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4072-119-0x0000000000400000-0x0000000000490000-memory.dmp	upx
behavioral2/memory/4072-188-0x0000000000400000-0x0000000000490000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 3940	4072	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	90
PID 4072 wrote to memory of 3940	4072	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	90
PID 4072 wrote to memory of 3940	4072	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	90
PID 4072 wrote to memory of 3368	4072	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	94
PID 4072 wrote to memory of 3368	4072	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	94
PID 4072 wrote to memory of 3368	4072	2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2bc85ec3e2af255b36a3dbef4fb571dc_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1440,i,10426317566413639638,17907471819827662535,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
1⤵
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\057D.D31

Filesize
600B

MD5
4e2cc75346889046bbb240a2514b2b48

SHA1
4156d49f396835a86cb08a4e8cd66a84e5897259

SHA256
e6a4a8df012c806ddeec742e952f9c344ecccb7361d8e3779f95f6ff9f3f2a6d

SHA512
00245063ccddb971a7287be6082f8442b08669844c11425de4efca374ba1ba712bd83f653de3f82c4dae349dd7aa4bccb5ae7bef2846fc7c43987875f2ce5cac

Download Submit
memory/3368-117-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3368-116-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3940-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3940-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4072-1-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4072-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4072-49-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4072-119-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4072-188-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads