Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 22:09

General

  • Target

    438865e77cbdc54d8a00c57a64f1b5a1_JaffaCakes118.exe

  • Size

    322KB

  • MD5

    438865e77cbdc54d8a00c57a64f1b5a1

  • SHA1

    a2a6af25ee28a9a0ade46734701bcebf15a7e4ab

  • SHA256

    253ed82cd534713a8393692075c3c28f525dd43712671b3c42e43b20d66a3dda

  • SHA512

    f490bc06a6801ff2a4f94fdc48d09239215d10a6a12141c71d3b71a58d9afc49ada318b3718bb6c035464a5bd5df3a851d05e77d105f831c9ae9a17a7eaf990c

  • SSDEEP

    3072:XD2hT7lKbvfldRMtyyYyOTXsF5XN10A8oPcnDArqeFndYP0qz9X/0ljywg:XDe7lKbnlMg/yO7aNkAyeNFnUHZUWP

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\438865e77cbdc54d8a00c57a64f1b5a1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\438865e77cbdc54d8a00c57a64f1b5a1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\ctxmon.exe
      C:\Users\Admin\AppData\Local\Temp\ctxmon.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\pwrwin.exe

    Filesize

    239KB

    MD5

    c6684504d881a42aedf492c7ce76403b

    SHA1

    e189b4d471ae2401d566d339ee2882d71a96d1c8

    SHA256

    b05f84c33df2974f481ad29b254cbfda0f7ae6b5f3f89a8598eea543b6f0b901

    SHA512

    6753febce42a22368966ccbe138fad3d6cc22337ec5f658625d7e71f789552e6ce82067aa2f94176a0d1ba92b7ab30f2ce4bf17417ee6bebc1455d63895ada3c

  • \Users\Admin\AppData\Local\Temp\ctxmon.exe

    Filesize

    115KB

    MD5

    b41dd2240b072ec09744353fc20b7f83

    SHA1

    33ffb4d4d4cb3e38b674d71abef6e9946b0cf9a8

    SHA256

    2b8614f538c2d60ff88db94992fd42f938e444d0074308f8a02f3e7d7e38c3d3

    SHA512

    8fcc0366f7ea38b474205a6f9e1a0e7ca41dfc16be59e5c06b72eed32b83fb1936bbe1a2b9d77231dcff06d615347e51e9d0e7ec3f8fad31f42d1b4829adedd1

  • memory/2292-4-0x0000000000170000-0x00000000001A5000-memory.dmp

    Filesize

    212KB

  • memory/2292-2-0x0000000001000000-0x0000000001054000-memory.dmp

    Filesize

    336KB

  • memory/2292-11-0x0000000001006000-0x0000000001008000-memory.dmp

    Filesize

    8KB

  • memory/2292-9-0x0000000000170000-0x00000000001A5000-memory.dmp

    Filesize

    212KB

  • memory/2292-10-0x0000000000170000-0x00000000001A5000-memory.dmp

    Filesize

    212KB

  • memory/2292-13-0x0000000000170000-0x00000000001A5000-memory.dmp

    Filesize

    212KB

  • memory/2292-14-0x0000000000170000-0x00000000001A5000-memory.dmp

    Filesize

    212KB

  • memory/2292-15-0x0000000001000000-0x0000000001054000-memory.dmp

    Filesize

    336KB