Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 17:13
Behavioral task
behavioral1
Sample
429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe
-
Size
518KB
-
MD5
429acb709d5f0fd8a40beecc72c9fa89
-
SHA1
0c6ae3cec530d155074510a4f4a5acaf8ef3abce
-
SHA256
c5f9c9512a8d4efe4cea83bddc1b7e2cea0dbbb4297923c74c30f817433cfae3
-
SHA512
b2e35681804e67d6e599c448ede9bf0d0776d3eb7fa6dc847850367dc62622851fd746202f42028a969d1e167773d5f6821ecce24108a1408d6fa3bbed7129b3
-
SSDEEP
12288:G5GzoHmEaY4r8Y38wGNQ1axaAmS6IEPzjipswj5iHN6Mp4o:G4zoH7aYI9WNVmH5His+5iHJ4o
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1596-0-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-1-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-3-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/files/0x0006000000015dba-131.dat upx behavioral1/memory/1596-176-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-177-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-178-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-179-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-185-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-186-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-187-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-189-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-190-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-191-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-192-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-193-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-194-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-195-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-196-0x0000000000400000-0x0000000000511000-memory.dmp upx behavioral1/memory/1596-197-0x0000000000400000-0x0000000000511000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~2\is259619609.log 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29 PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29 PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29 PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29 PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29 PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29 PID 1596 wrote to memory of 2140 1596 429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s /c vbscript.dll2⤵PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502B
MD5d01aa8281acd8cdf5d48d571adec5b1e
SHA14e337a518e82b24cafdf0e06383470b950c2c4f0
SHA2564149bf32fc8039f7feb641b8b23c3b963e6ce38e9c3980ac18f9220332c5288c
SHA512e53f812a2b1ff34d53a6d9f0a380ad9cb422bb599ab0d5c1c90ae83373ea4674979e811731e1c7484dacf925c4bedd3092eae02d5792c562bd952d97503c9caa
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
2KB
MD526571cc52e369de069184809dad692ae
SHA100bba72740880d8cecf91dbb96fa909d445ff94e
SHA2569d61276f85f774cfffb19254b414e3d3369b1b7534d6e2473c134754750d517a
SHA512c135808f58b05c5a90e6cfa43f07da102bbd51e4016b850e65930ef690eaeb47cd256e76f9200e1c81525f5b01e1083dd9b9c265917498eb0a95f728e828c4de
-
Filesize
2KB
MD53d2aa6a7a64f0b26d01cd4277b10079b
SHA1ad513cb821f94da8e07a56ff51fec6499154dc6a
SHA256e4fad0196afa803e2687fc84803bbb792af2e97f60ba46b17d05bb44dbab9a95
SHA512f405db304dcdfc403e72b36188ebca9cd2c18b4322ece280a0d77699f1550c2ca86c88986bf4224d566b4b4f45bcfe205ac8621c3b262f668365fb92082b7837
-
Filesize
1021B
MD55ee302dc78542e5fd0a02f25a0002da1
SHA1e87d05c022100b011258d967d39622ba7418d061
SHA256463d6daf03677bb1680ea08d8213109a552a607c4b052392dc3902cf138e9693
SHA512e3368f139eea37511d36d9e885bcc0dfa7948e2afb4479d9a139f67a8ff87004d5c9978b984951c7a1c8354fdac533c41c53d478d017fad64581862787c0d7a1
-
Filesize
1KB
MD57079f7a38ff7af04727c9f1750f32634
SHA13cd8c5f3a1a8b8777d5a01ad5e295e89fb0d9bc0
SHA256759d69822f034c0711509390bcb2e731747e2fb3d8f79e7cbdc3305ac047c026
SHA512be915a2da8b6e06720b1c2563933bbbabfb68ddc5cdea7cf57b8cbdd44478b716018c42aa4cf47667628393b4d06610a3d0a00df4f7136aef20821001b54961a
-
Filesize
2KB
MD5eacfc942574a53060e716a4f56163fa4
SHA18080d0cbfa1cd69a385b7d6952c0270ca59438be
SHA2564c5704990fbbfb5062a005be555402110f7dff0cd126fde4a26c2b5735242a28
SHA512b7c5f3e5b647c6f9d41b3f886f3830744bfdbf8f3398ec451775a5950282a6dfe2155e038bb419e3f87fe854704b70a2520e36d00c4df41ee76812e36abf0c18
-
Filesize
1KB
MD566d7245af7de7d1f9540e55a1e020195
SHA1fe78c89b4e7e717f059caa7d1e591e379e04f7c1
SHA256af7b976d08c7dc668b33feefc8626bc95ba3ac03290a0d3f2f1848d66fc624ca
SHA5129f102b9f7d6fe0bb82e7280bd829cdf33f1ac1d0682e362a974ac31c22333dae1d5525db4af80cfa829751e5ce39da29c93a276f8e553ce52a238ef110460cf3
-
Filesize
6KB
MD5ad107fa0cdd0d308688503bbd113a7cb
SHA18198eee6fccd6dfbfab000faac35e32d030dfe7e
SHA25629119628c65a0b0d4a56470511f8ab9b35b68494fd2c73b5c781bc18aec62a2c
SHA51271819203400fc9d506406ffc4691306dbc37a04ac8fffd5338df2cd4549c419ad225c2a6c606008d80a24381daaac3305c6edca2b242d8b7f16141bb9dfbd7ca
-
Filesize
1KB
MD50082128c5fe64728fe46f9c050065408
SHA1065b7be79e5c0a5fe1ea59677152fa3d5e031d88
SHA2561f27a3c822b032286f36b572b13f226803335c330933d6518be3634209fc61e2
SHA512a9d42921cff39928ce1a23186f2e8a53514461662bfcf65da263f4ed5d137ffc016c727bda3c0e3831381398659b86889d07538eea0bb17a4c4de7a85ec06e4d
-
Filesize
1KB
MD5ea0f9590069a3bba51bb36280f571ea0
SHA127047add676557bc05f00c457ceb407b592a9bfb
SHA2566d4cac22f5ba2c4d92c7cd59db41679e4e4f0eb2090006bf1caa65e2dd008a2e
SHA5129108fab9c6305ce1bede59274e1965a8fc138a888a96b54dfbeb25fa12cf172e7aa722a3fe2f3d59bb0f306dff976d9635db371a3d79cdc3a8a0d1d8c1e39d1a
-
Filesize
518KB
MD5429acb709d5f0fd8a40beecc72c9fa89
SHA10c6ae3cec530d155074510a4f4a5acaf8ef3abce
SHA256c5f9c9512a8d4efe4cea83bddc1b7e2cea0dbbb4297923c74c30f817433cfae3
SHA512b2e35681804e67d6e599c448ede9bf0d0776d3eb7fa6dc847850367dc62622851fd746202f42028a969d1e167773d5f6821ecce24108a1408d6fa3bbed7129b3