fad372d90298a3d31f9a77d6b5280e93b63f08e78a1211a6dd8c142bf2e0fee9

Analysis

max time kernel
133s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
Size

340KB
MD5

2d501d5aeb269dd5a6a7d471cb744260
SHA1

361268f4bdd03a10b51a8f0d82a60bf1547c48da
SHA256

fad372d90298a3d31f9a77d6b5280e93b63f08e78a1211a6dd8c142bf2e0fee9
SHA512

c50ba2a308f204ded47429b7630229f382db20e81730c428c24625875cadeab03af0e263dd19964ee6d6e423afa3398c932fee29ebc7f46aba3f0cbae4a82f03
SSDEEP

6144:gyHFZlxwyXzbqSY1qYXMwQe5n5sHFZlx55:lHFZlxwA+jhcvHFZlx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3012	eqs6D15.tmp

Loads dropped DLL 1 IoCs

pid	Process
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\RCXBB40.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC7AB.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXB8A2.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB9CC.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC2A1.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB971.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXBA3B.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXC304.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCXB7C5.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB914.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB913.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXBD63.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RCXBE6B.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\RCXBDCC.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXBE23.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXC62D.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXBC43.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\RCXBCA5.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXC346.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXC743.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB985.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB9B8.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXBA4E.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCXB7F9.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXB9F2.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB94D.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXBD64.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCXB973.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXB8A4.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXBC32.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXBCED.tmp	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30
PID 2700 wrote to memory of 3012	2700	2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\eqs6D15.tmp
  "C:\Users\Admin\AppData\Local\Temp\2d501d5aeb269dd5a6a7d471cb744260_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
291KB

MD5
95985cda956aa1a8028c1375b75a765b

SHA1
76d9372529355e9407e19db39939153629fc11e9

SHA256
4c928176f6e82ebacf12101766418389e511e765613c049fa2d0ec587e305105

SHA512
25fb597980911e28b94e84cd0273884f2776dd6d3572b3ed7c252bafd43ce8beedc0b86899e7cdf8918598b7a5a9c96736d38caa39b802cc4ac2956335b0c5fc

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\DW\RCXBE01.tmp

Filesize
14KB

MD5
03e53e4182e59a6979f47e59ad3ff01a

SHA1
dd72535d2e3e057e233445e9c7c42835a90b1972

SHA256
ca63ab5bf66edff6463c93dab0c454f66a12d25697bd2e19054586c95191df46

SHA512
6c2d70bfb885a5352bb5e775c28cdcba6ea23d3f255cecf32773cc4d26746b826fd880e51ff7582f88af9c6e94dee283f1f152defdec592ba0548197728c6657

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
942KB

MD5
3a1a023908868f55050839fa8797fe02

SHA1
797e8b5cf03f9dea2f3545c065ce34e129268338

SHA256
d8f6e4bbb86c18116e40b93619949f6bd06860ffc3eda2f81f8420bd365f25f0

SHA512
aed00a0f2a185305952546d1fbd1280af64938aa8a233ffe6c8f6f02d646b7bc59e81952bd183f9014cfec5b6e892fc55c7cfe7ba1e25162ba8aebec3ec5c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqs6D15.tmp

Filesize
236KB

MD5
60cb22b097bca43978ad7205b1db8f81

SHA1
2db323e1808a6517bda6dc08652034271a91c4bb

SHA256
4e917728154f66b54f9f3c85030d9964c62fb44de38973a6c81cd84f449d9e67

SHA512
98da0aa1f5957f2d986f168966fdefd934068f3ff66577a1c877355f9baec45621d4b4712dc9fe5950027cf9f3891421793d56d4c2352ce4f502f701e57dd9b2

Download Submit