6a8767ed4d25c0444d394a35f6e5ceede87c6f08d97682598eefd27d7457071c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
Size

479KB
MD5

36655025d8d1ddf19b9780f2391c7acd
SHA1

e97b5500000c4614ba7c46cbc2bb6dd6fc2f1cfb
SHA256

6a8767ed4d25c0444d394a35f6e5ceede87c6f08d97682598eefd27d7457071c
SHA512

0df345a77bb09abfb0e9af3a7abe15c81dc5f87646115c5aa287c5528a7c919f11a8e68c58b2883e9dce2e0dc40d6bbc3f06f18d4e18b7b0d8d3e074ef6e86c8
SSDEEP

12288:79v4xR9UTVoi1U+yOsgqj2lC2I18DfqWdx49z6Bga:72xR9AV3O+7sgzp+8fdxZ

Score

9^/10

collection

Malware Config

Signatures

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2936-56-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView
behavioral2/memory/2936-55-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView
behavioral2/memory/2936-54-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView
behavioral2/memory/2936-51-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView
behavioral2/memory/2936-57-0x0000000000400000-0x000000000041A000-memory.dmp	MailPassView

Nirsoft 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2908-23-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/2908-22-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/2908-24-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/2908-21-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/2908-18-0x0000000000400000-0x000000000041E000-memory.dmp	Nirsoft
behavioral2/memory/4208-43-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/4208-45-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/4208-46-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/4208-44-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/4208-40-0x0000000000400000-0x0000000000414000-memory.dmp	Nirsoft
behavioral2/memory/2936-56-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/2936-55-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/2936-54-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/2936-51-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/2936-57-0x0000000000400000-0x000000000041A000-memory.dmp	Nirsoft
behavioral2/memory/1344-75-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft
behavioral2/memory/1344-78-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft
behavioral2/memory/1344-80-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft
behavioral2/memory/1344-79-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft
behavioral2/memory/1344-81-0x0000000000400000-0x0000000000417000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

Processes:

passstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exepassstealer.exe

pid	process
676	passstealer.exe
2908	passstealer.exe
3660	passstealer.exe
4208	passstealer.exe
2936	passstealer.exe
2328	passstealer.exe
1344	passstealer.exe
1628	passstealer.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

passstealer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	passstealer.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

passstealer.exe

description	pid	process	target process
PID 676 set thread context of 2908	676	passstealer.exe	passstealer.exe
PID 676 set thread context of 3660	676	passstealer.exe	passstealer.exe
PID 676 set thread context of 4208	676	passstealer.exe	passstealer.exe
PID 676 set thread context of 2936	676	passstealer.exe	passstealer.exe
PID 676 set thread context of 2328	676	passstealer.exe	passstealer.exe
PID 676 set thread context of 1344	676	passstealer.exe	passstealer.exe
PID 676 set thread context of 1628	676	passstealer.exe	passstealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

passstealer.exe

pid process

2908 passstealer.exe
2908 passstealer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

passstealer.exepassstealer.exe

description pid process

Token: SeDebugPrivilege 2908 passstealer.exe
Token: SeDebugPrivilege 4208 passstealer.exe

pid	process
2908	passstealer.exe
2908	passstealer.exe

description	pid	process
Token: SeDebugPrivilege	2908	passstealer.exe
Token: SeDebugPrivilege	4208	passstealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exepassstealer.exe

description	pid	process	target process
PID 4672 wrote to memory of 676	4672	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 4672 wrote to memory of 676	4672	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 4672 wrote to memory of 676	4672	36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2908	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 3660	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 4208	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2936	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 2328	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1344	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe
PID 676 wrote to memory of 1628	676	passstealer.exe	passstealer.exe

C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36655025d8d1ddf19b9780f2391c7acd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\Desktop\passstealer.exe
"C:\Users\Admin\Desktop\passstealer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:3660

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2936

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\Desktop\passstealer.exe
/stext C:\Users\Admin\AppData\Local\Temp\temp.txt
3⤵
- Executes dropped EXE
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.txt

Filesize
33B

MD5
fec8656dbc9772ee24163ae3d57f41d9

SHA1
4e82071ada9bdc0002decba8b18b22a6dfdd127d

SHA256
7a3295b2c8c4797b8e5b4616bcc19bca30266371a54666855cbc67d443a3e4f4

SHA512
7c5965e41515a34db05c442587607bb51b6a3a8662df39513474f0d12c1236d882989d8c8bc99d24be27531c0e0df76af8c4beaf45e041767ab6ba2c72fc9326

Download Submit
C:\Users\Admin\Desktop\passstealer.exe

Filesize
275KB

MD5
bec96c96ff53280aad44543234a1606b

SHA1
a230dbce7f3b73018e8c73923a7118c539798709

SHA256
afae687bf5a551d4c2bddadf1bfcd859606f698ece41970bdcf6ff36dd94f4af

SHA512
80efc60df3c9b9afd39041c4fc917a43026acb8bd35d6a23928567512cbc8bd2cc89ca32fca3fa56df23592d9bba2e350607de514b90618d1844c829f4613110

Download Submit
memory/676-9-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/1344-79-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-75-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-78-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-80-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1344-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2328-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2328-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2908-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2908-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2936-48-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-51-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-50-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2936-49-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3660-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3660-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3660-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3660-29-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3660-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3660-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3660-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4208-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-45-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-46-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4208-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download