Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 10:15

General

  • Target

    2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe

  • Size

    572KB

  • MD5

    2ff733dbb9b655a057ed7dfc2ea13daf

  • SHA1

    c1d27a666129297faffab19528a1a2864e8d52c3

  • SHA256

    071820da24f6b704ce6356e79ded9baad1acaa5e400fb8727c33bae6aa6f7a2f

  • SHA512

    c251ae16ffcac19858957029589accfdfc1df28ed3a3c9f2db25ddc22ae8bf9690b8a22304529ec2965ef465fea3398cd06b382e85ea8fb3a7d9d9aba8933cff

  • SSDEEP

    12288:ys8yx7i2iadN8gZE4DO5ABBCkwJbt4N8AS4EWtEjOBiZaB9BeuON/HcDfRjALs:PhG2iYeWAQaToEsOGiZawuON/HUf56s

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2ff733dbb9b655a057ed7dfc2ea13daf_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 548
        3⤵
          PID:2240

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsoC15D.tmp\sixepu.dll

      Filesize

      17KB

      MD5

      040853f7eb99fcc82ea269734850785e

      SHA1

      8f18a3e2d9349d60de78194fcb62b7775cd297d6

      SHA256

      0f68d5467617881e66690c950d2d2f409129662d2f78d6b648a2e2bf89bf33c0

      SHA512

      cf5cd1fc536cec5d2c9735ad8129dd7990ef998403dd171bb5daf4b6d468beeb1d4a264124c701e57a89103231273b577e2a3858cd056182739e384395c56b6b

    • memory/2176-8-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

    • memory/2176-10-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

    • memory/2176-11-0x0000000000400000-0x000000000048B000-memory.dmp

      Filesize

      556KB

    • memory/2240-12-0x00000000004C0000-0x00000000004C1000-memory.dmp

      Filesize

      4KB