Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 09:29
Behavioral task
behavioral1
Sample
2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe
-
Size
38KB
-
MD5
2bd1fb53eaa50768839e2f0af0f28776
-
SHA1
128ed940f232e13e96b03132365ef17c54c5ac2a
-
SHA256
90062e6119e33002894556095c0a649a4b2b3fffd4a06923d3d85f1009c35b37
-
SHA512
37e851d8a71cb2885476528c929422f7db73e48b70579eef85f7369e373a3e809a641a91810a524168358e90f9dd07588de287a612aa08447c35f2b2610fdc74
-
SSDEEP
768:BDRyti+nKpMbrOhvLXcgQqTO/yXeL9+K62aHAAxgjxPvlZ4:bl+nKpUChvLXcgQ4uL4rNHAOKlvlZ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2312 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2312 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3588-0-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3588-12-0x0000000000400000-0x0000000000418000-memory.dmp upx behavioral2/memory/3588-15-0x0000000000400000-0x0000000000418000-memory.dmp upx -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yuksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\msimg32.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\midimap.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\yumsimg32.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\msimg32.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\yuksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\ksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\dllcache\ksuser.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\yumidimap.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe File created C:\Windows\SysWOW64\sysapp10.dll 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4324 sc.exe 3152 sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3588 wrote to memory of 4288 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 83 PID 3588 wrote to memory of 4288 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 83 PID 3588 wrote to memory of 4288 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 83 PID 3588 wrote to memory of 4324 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 84 PID 3588 wrote to memory of 4324 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 84 PID 3588 wrote to memory of 4324 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 84 PID 3588 wrote to memory of 3152 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 85 PID 3588 wrote to memory of 3152 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 85 PID 3588 wrote to memory of 3152 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 85 PID 4288 wrote to memory of 2900 4288 net.exe 89 PID 4288 wrote to memory of 2900 4288 net.exe 89 PID 4288 wrote to memory of 2900 4288 net.exe 89 PID 3588 wrote to memory of 2312 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 94 PID 3588 wrote to memory of 2312 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 94 PID 3588 wrote to memory of 2312 3588 2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2bd1fb53eaa50768839e2f0af0f28776_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\net.exenet stop cryptsvc2⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc3⤵PID:2900
-
-
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled2⤵
- Launches sc.exe
PID:4324
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc2⤵
- Launches sc.exe
PID:3152
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Users\Admin\AppData\Local\Temp\1720453456.dat, ServerMain c:\users\admin\appdata\local\temp\2bd1fb53eaa50768839e2f0af0f28776_jaffacakes118.exe2⤵
- Deletes itself
- Loads dropped DLL
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5a075db812ea594e9c572f2d49e36d513
SHA1f4cbb58baf6eaf3f924c2756cf79978f0cc3618a
SHA2560ba62de9f320d0d22a10739250587762601a2eafb60bed45a160de05eaa3a34d
SHA512cef31e594e4eaa07ee857e9ee996201aca3afd0c67db666cce3d1fc858eae0567eef67394dc4cafaadac90da0b767f877b5b11022eff22dce5589eea2e4fa4dd