49178cb58b3d107746d137b19b843c552c671ce07b1e6e1d6dd88c849c027d38

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe
Size

77KB
MD5

3927f404014bd5bd464d1244bce13068
SHA1

4d7b4a9e50b4aacd1821764be41c0e0ee63c261b
SHA256

49178cb58b3d107746d137b19b843c552c671ce07b1e6e1d6dd88c849c027d38
SHA512

d06042d75b76170b9544d8328b694b9f22ed23f4a3aa8f37b69788450e18283af5432ca4ef30b309366631221cd9bf2760f34ccbae3bc6248ddc11ba5f3b696f
SSDEEP

1536:p4q8Q1xZtffrb8sjPFNhTYsFFrzckH2fmitmqqcUfQVUfF:qKtfDwsjPThTYszDH2fucUQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	Logo1_.exe
2700	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2808	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{2B81D3B1-6134-4F8A-A160-385C02BE7682}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe
2856	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2808	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2808	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2808	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2808	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2856	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2856	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2856	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2856	2092	3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe	32
PID 2856 wrote to memory of 1208	2856	Logo1_.exe	21
PID 2856 wrote to memory of 1208	2856	Logo1_.exe	21
PID 2808 wrote to memory of 2700	2808	cmd.exe	33
PID 2808 wrote to memory of 2700	2808	cmd.exe	33
PID 2808 wrote to memory of 2700	2808	cmd.exe	33
PID 2808 wrote to memory of 2700	2808	cmd.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a78F7.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      PID:2700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a78F7.bat

Filesize
614B

MD5
503f3426da8531d864ccce82718f247a

SHA1
38d23ad37a5f67274ab3e0081ee8c589b138f14b

SHA256
5cc7ad1c37a11db31604d71eff585701c16be3f87188dfc0abbe47c5c75779bb

SHA512
d0cd5057012c43cbe9b1c63ac26df2555c20cc853b81d33e5519bee49871199e3f9eff81fa291cb7f081168e4310c5bef3f535329908b918a80d2e9d601e6f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\3927f404014bd5bd464d1244bce13068_JaffaCakes118.exe.exe

Filesize
19KB

MD5
7fe494b38c56e8fc7014102aaf266f36

SHA1
d425c70aba2e45725f57d374b60a6868a98a215e

SHA256
5e001687ee99369421c495580aa8a366ade403155fb53a96f30f4ff1781316ed

SHA512
eb448572c84eb82fa14e1903d4b1933d0773b434f93aeb44a5e85728d5dae132d64850e45453f360ed86ec3ff15842cf9b0eda74ac4cd68767d7b4a5872e49fe

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
8418ecb1fd59d8a93be3de4c0dc2911c

SHA1
6d29aa0c3e0508c75fb8b90e5267555fe5124076

SHA256
c981bbc4e5ac96ef0750e071b28444383f8f413646396b4bbaf62eed6b587c2d

SHA512
eadbead9a43375961b7c6e3f5bcf94940edda9c66b41d3eacb1a598960a1a6240e328bf2961507b8e2f7320d7823579d934a053f1e2fcb07bda12745ed6dfb0f

Download Submit
memory/1208-20-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2092-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2856-241-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download