Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
-
Size
479KB
-
MD5
36655025d8d1ddf19b9780f2391c7acd
-
SHA1
e97b5500000c4614ba7c46cbc2bb6dd6fc2f1cfb
-
SHA256
6a8767ed4d25c0444d394a35f6e5ceede87c6f08d97682598eefd27d7457071c
-
SHA512
0df345a77bb09abfb0e9af3a7abe15c81dc5f87646115c5aa287c5528a7c919f11a8e68c58b2883e9dce2e0dc40d6bbc3f06f18d4e18b7b0d8d3e074ef6e86c8
-
SSDEEP
12288:79v4xR9UTVoi1U+yOsgqj2lC2I18DfqWdx49z6Bga:72xR9AV3O+7sgzp+8fdxZ
Malware Config
Signatures
-
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2592-37-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral1/memory/2592-42-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral1/memory/2592-43-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral1/memory/1392-86-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral1/memory/1392-82-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral1/memory/1392-87-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft -
Executes dropped EXE 8 IoCs
Processes:
passstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepid process 2248 passstealer.exe 2592 passstealer.exe 824 passstealer.exe 1392 passstealer.exe 1236 passstealer.exe 1820 passstealer.exe 2380 passstealer.exe 844 passstealer.exe -
Loads dropped DLL 7 IoCs
Processes:
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exepassstealer.exepid process 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe 2248 passstealer.exe 2248 passstealer.exe 2248 passstealer.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
passstealer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts passstealer.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
passstealer.exedescription pid process target process PID 2248 set thread context of 2592 2248 passstealer.exe passstealer.exe PID 2248 set thread context of 824 2248 passstealer.exe passstealer.exe PID 2248 set thread context of 1392 2248 passstealer.exe passstealer.exe PID 2248 set thread context of 1236 2248 passstealer.exe passstealer.exe PID 2248 set thread context of 1820 2248 passstealer.exe passstealer.exe PID 2248 set thread context of 2380 2248 passstealer.exe passstealer.exe PID 2248 set thread context of 844 2248 passstealer.exe passstealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
passstealer.exepassstealer.exedescription pid process Token: SeDebugPrivilege 2592 passstealer.exe Token: SeDebugPrivilege 1392 passstealer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2628 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exepassstealer.exedescription pid process target process PID 2780 wrote to memory of 2248 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 2780 wrote to memory of 2248 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 2780 wrote to memory of 2248 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 2780 wrote to memory of 2248 2780 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2592 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 824 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1392 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1236 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 1820 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe PID 2248 wrote to memory of 2380 2248 passstealer.exe passstealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\Desktop\passstealer.exe"C:\Users\Admin\Desktop\passstealer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:824 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1236 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:1820 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:2380 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:844
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5fec8656dbc9772ee24163ae3d57f41d9
SHA14e82071ada9bdc0002decba8b18b22a6dfdd127d
SHA2567a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4
SHA5127c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326
-
Filesize
6KB
MD51abe34ea26f8a94f15023b0ff256949e
SHA1601425b47463af5a5ffcacb87995a41cb7f3ca52
SHA2565d4177116dcbf4a759cdbe88e87684932e3d5763067cc181dcf955c9e67148b6
SHA5123bd495e09eecd0f38673abf2d5b20f62bd1b40a13c250baa61b1fae33d35d95245f0beb185938e290292b8628044fd8d040f9fed6432fb406218b29a58a6d04e
-
Filesize
275KB
MD5bec96c96ff53280aad44543234a1606b
SHA1a230dbce7f3b73018e8c73923a7118c539798709
SHA256afae687bf5a551d4c2bddadf1bfcd859606f698ece41970bdcf6ff36dd94f4af
SHA51280efc60df3c9b9afd39041c4fc917a43026acb8bd35d6a23928567512cbc8bd2cc89ca32fca3fa56df23592d9bba2e350607de514b90618d1844c829f4613110