c5f9c9512a8d4efe4cea83bddc1b7e2cea0dbbb4297923c74c30f817433cfae3

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe
Size

518KB
MD5

429acb709d5f0fd8a40beecc72c9fa89
SHA1

0c6ae3cec530d155074510a4f4a5acaf8ef3abce
SHA256

c5f9c9512a8d4efe4cea83bddc1b7e2cea0dbbb4297923c74c30f817433cfae3
SHA512

b2e35681804e67d6e599c448ede9bf0d0776d3eb7fa6dc847850367dc62622851fd746202f42028a969d1e167773d5f6821ecce24108a1408d6fa3bbed7129b3
SSDEEP

12288:G5GzoHmEaY4r8Y38wGNQ1axaAmS6IEPzjipswj5iHN6Mp4o:G4zoH7aYI9WNVmH5His+5iHJ4o

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2260-0-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-1-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-3-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-154-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-155-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-156-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-158-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-159-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-160-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-162-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-163-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-164-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-165-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-166-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-167-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-168-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-169-0x0000000000400000-0x0000000000511000-memory.dmp	upx
behavioral2/memory/2260-170-0x0000000000400000-0x0000000000511000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~2\is240626718.log	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2260	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe
2260	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4140	2260	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe	86
PID 2260 wrote to memory of 4140	2260	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe	86
PID 2260 wrote to memory of 4140	2260	429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\429acb709d5f0fd8a40beecc72c9fa89_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /c vbscript.dll
  2⤵
  PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ImInstaller\im_log.txt

Filesize
775B

MD5
03c9a7476168f7f69e5264c53aa044a2

SHA1
6461f249fb52331d2e95b82f341fd21e6794a8e2

SHA256
dde328e5b457f22ef60d4e7fba2f9ad23eb57ed405889d1e4ee3d9637083ce0b

SHA512
adb14c7113a09f960702777f83602e69542d70a5882f15b16e608bd13e65eff2854119944b8aa57dbce82d2440a8a5cfa63c9bb4f9d9875d4e6ad980d71f586d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\bootstrap_9799.html

Filesize
156B

MD5
1ea9e5b417811379e874ad4870d5c51a

SHA1
a4bd01f828454f3619a815dbe5423b181ec4051c

SHA256
f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a

SHA512
965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\css\main.css

Filesize
2KB

MD5
26571cc52e369de069184809dad692ae

SHA1
00bba72740880d8cecf91dbb96fa909d445ff94e

SHA256
9d61276f85f774cfffb19254b414e3d3369b1b7534d6e2473c134754750d517a

SHA512
c135808f58b05c5a90e6cfa43f07da102bbd51e4016b850e65930ef690eaeb47cd256e76f9200e1c81525f5b01e1083dd9b9c265917498eb0a95f728e828c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\altprogress.png

Filesize
2KB

MD5
3d2aa6a7a64f0b26d01cd4277b10079b

SHA1
ad513cb821f94da8e07a56ff51fec6499154dc6a

SHA256
e4fad0196afa803e2687fc84803bbb792af2e97f60ba46b17d05bb44dbab9a95

SHA512
f405db304dcdfc403e72b36188ebca9cd2c18b4322ece280a0d77699f1550c2ca86c88986bf4224d566b4b4f45bcfe205ac8621c3b262f668365fb92082b7837

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\altprogress_bck.png

Filesize
1021B

MD5
5ee302dc78542e5fd0a02f25a0002da1

SHA1
e87d05c022100b011258d967d39622ba7418d061

SHA256
463d6daf03677bb1680ea08d8213109a552a607c4b052392dc3902cf138e9693

SHA512
e3368f139eea37511d36d9e885bcc0dfa7948e2afb4479d9a139f67a8ff87004d5c9978b984951c7a1c8354fdac533c41c53d478d017fad64581862787c0d7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\approvemystart_bg.png

Filesize
1KB

MD5
7079f7a38ff7af04727c9f1750f32634

SHA1
3cd8c5f3a1a8b8777d5a01ad5e295e89fb0d9bc0

SHA256
759d69822f034c0711509390bcb2e731747e2fb3d8f79e7cbdc3305ac047c026

SHA512
be915a2da8b6e06720b1c2563933bbbabfb68ddc5cdea7cf57b8cbdd44478b716018c42aa4cf47667628393b4d06610a3d0a00df4f7136aef20821001b54961a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\bg_icon.jpg

Filesize
2KB

MD5
eacfc942574a53060e716a4f56163fa4

SHA1
8080d0cbfa1cd69a385b7d6952c0270ca59438be

SHA256
4c5704990fbbfb5062a005be555402110f7dff0cd126fde4a26c2b5735242a28

SHA512
b7c5f3e5b647c6f9d41b3f886f3830744bfdbf8f3398ec451775a5950282a6dfe2155e038bb419e3f87fe854704b70a2520e36d00c4df41ee76812e36abf0c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\dlg_bg.png

Filesize
1KB

MD5
66d7245af7de7d1f9540e55a1e020195

SHA1
fe78c89b4e7e717f059caa7d1e591e379e04f7c1

SHA256
af7b976d08c7dc668b33feefc8626bc95ba3ac03290a0d3f2f1848d66fc624ca

SHA512
9f102b9f7d6fe0bb82e7280bd829cdf33f1ac1d0682e362a974ac31c22333dae1d5525db4af80cfa829751e5ce39da29c93a276f8e553ce52a238ef110460cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\incredimail_toolbar.gif

Filesize
6KB

MD5
ad107fa0cdd0d308688503bbd113a7cb

SHA1
8198eee6fccd6dfbfab000faac35e32d030dfe7e

SHA256
29119628c65a0b0d4a56470511f8ab9b35b68494fd2c73b5c781bc18aec62a2c

SHA512
71819203400fc9d506406ffc4691306dbc37a04ac8fffd5338df2cd4549c419ad225c2a6c606008d80a24381daaac3305c6edca2b242d8b7f16141bb9dfbd7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\tech_problem_icon.png

Filesize
1KB

MD5
0082128c5fe64728fe46f9c050065408

SHA1
065b7be79e5c0a5fe1ea59677152fa3d5e031d88

SHA256
1f27a3c822b032286f36b572b13f226803335c330933d6518be3634209fc61e2

SHA512
a9d42921cff39928ce1a23186f2e8a53514461662bfcf65da263f4ed5d137ffc016c727bda3c0e3831381398659b86889d07538eea0bb17a4c4de7a85ec06e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ish240625750\images\x.gif

Filesize
1KB

MD5
ea0f9590069a3bba51bb36280f571ea0

SHA1
27047add676557bc05f00c457ceb407b592a9bfb

SHA256
6d4cac22f5ba2c4d92c7cd59db41679e4e4f0eb2090006bf1caa65e2dd008a2e

SHA512
9108fab9c6305ce1bede59274e1965a8fc138a888a96b54dfbeb25fa12cf172e7aa722a3fe2f3d59bb0f306dff976d9635db371a3d79cdc3a8a0d1d8c1e39d1a

Download Submit
memory/2260-158-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-159-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-2-0x0000000000401000-0x00000000004CB000-memory.dmp

Filesize
808KB

Download
memory/2260-1-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-154-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-155-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-156-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-157-0x0000000000401000-0x00000000004CB000-memory.dmp

Filesize
808KB

Download
memory/2260-0-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-3-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-160-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-162-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-163-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-164-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-165-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-166-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-167-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-168-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-169-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-170-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download