Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 21:10
Static task
static1
Behavioral task
behavioral1
Sample
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
-
Size
479KB
-
MD5
36655025d8d1ddf19b9780f2391c7acd
-
SHA1
e97b5500000c4614ba7c46cbc2bb6dd6fc2f1cfb
-
SHA256
6a8767ed4d25c0444d394a35f6e5ceede87c6f08d97682598eefd27d7457071c
-
SHA512
0df345a77bb09abfb0e9af3a7abe15c81dc5f87646115c5aa287c5528a7c919f11a8e68c58b2883e9dce2e0dc40d6bbc3f06f18d4e18b7b0d8d3e074ef6e86c8
-
SSDEEP
12288:79v4xR9UTVoi1U+yOsgqj2lC2I18DfqWdx49z6Bga:72xR9AV3O+7sgzp+8fdxZ
Malware Config
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2936-56-0x0000000000400000-0x000000000041A000-memory.dmp MailPassView behavioral2/memory/2936-55-0x0000000000400000-0x000000000041A000-memory.dmp MailPassView behavioral2/memory/2936-54-0x0000000000400000-0x000000000041A000-memory.dmp MailPassView behavioral2/memory/2936-51-0x0000000000400000-0x000000000041A000-memory.dmp MailPassView behavioral2/memory/2936-57-0x0000000000400000-0x000000000041A000-memory.dmp MailPassView -
Nirsoft 20 IoCs
Processes:
resource yara_rule behavioral2/memory/2908-23-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral2/memory/2908-22-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral2/memory/2908-24-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral2/memory/2908-21-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral2/memory/2908-18-0x0000000000400000-0x000000000041E000-memory.dmp Nirsoft behavioral2/memory/4208-43-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral2/memory/4208-45-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral2/memory/4208-46-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral2/memory/4208-44-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral2/memory/4208-40-0x0000000000400000-0x0000000000414000-memory.dmp Nirsoft behavioral2/memory/2936-56-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral2/memory/2936-55-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral2/memory/2936-54-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral2/memory/2936-51-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral2/memory/2936-57-0x0000000000400000-0x000000000041A000-memory.dmp Nirsoft behavioral2/memory/1344-75-0x0000000000400000-0x0000000000417000-memory.dmp Nirsoft behavioral2/memory/1344-78-0x0000000000400000-0x0000000000417000-memory.dmp Nirsoft behavioral2/memory/1344-80-0x0000000000400000-0x0000000000417000-memory.dmp Nirsoft behavioral2/memory/1344-79-0x0000000000400000-0x0000000000417000-memory.dmp Nirsoft behavioral2/memory/1344-81-0x0000000000400000-0x0000000000417000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe -
Executes dropped EXE 8 IoCs
Processes:
passstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepid process 676 passstealer.exe 2908 passstealer.exe 3660 passstealer.exe 4208 passstealer.exe 2936 passstealer.exe 2328 passstealer.exe 1344 passstealer.exe 1628 passstealer.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
passstealer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts passstealer.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
passstealer.exedescription pid process target process PID 676 set thread context of 2908 676 passstealer.exe passstealer.exe PID 676 set thread context of 3660 676 passstealer.exe passstealer.exe PID 676 set thread context of 4208 676 passstealer.exe passstealer.exe PID 676 set thread context of 2936 676 passstealer.exe passstealer.exe PID 676 set thread context of 2328 676 passstealer.exe passstealer.exe PID 676 set thread context of 1344 676 passstealer.exe passstealer.exe PID 676 set thread context of 1628 676 passstealer.exe passstealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
passstealer.exepid process 2908 passstealer.exe 2908 passstealer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
passstealer.exepassstealer.exedescription pid process Token: SeDebugPrivilege 2908 passstealer.exe Token: SeDebugPrivilege 4208 passstealer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exepassstealer.exedescription pid process target process PID 4672 wrote to memory of 676 4672 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 4672 wrote to memory of 676 4672 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 4672 wrote to memory of 676 4672 36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2908 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 3660 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 4208 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2936 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 2328 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1344 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe PID 676 wrote to memory of 1628 676 passstealer.exe passstealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\Desktop\passstealer.exe"C:\Users\Admin\Desktop\passstealer.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:3660 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2936 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:2328 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:1344 -
C:\Users\Admin\Desktop\passstealer.exe/stext C:\Users\Admin\AppData\Local\Temp\temp.txt3⤵
- Executes dropped EXE
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5fec8656dbc9772ee24163ae3d57f41d9
SHA14e82071ada9bdc0002decba8b18b22a6dfdd127d
SHA2567a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4
SHA5127c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326
-
Filesize
275KB
MD5bec96c96ff53280aad44543234a1606b
SHA1a230dbce7f3b73018e8c73923a7118c539798709
SHA256afae687bf5a551d4c2bddadf1bfcd859606f698ece41970bdcf6ff36dd94f4af
SHA51280efc60df3c9b9afd39041c4fc917a43026acb8bd35d6a23928567512cbc8bd2cc89ca32fca3fa56df23592d9bba2e350607de514b90618d1844c829f4613110