39bc52912cf67b1d653f00b2585e6cc1549e25f891f91baa8d1e66501ef33351

Analysis

max time kernel
35s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 10:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

495865ca486c23161737b692e93eac57_JaffaCakes118.exe
Size

322KB
MD5

495865ca486c23161737b692e93eac57
SHA1

d4fed10f284c8dac75020f366f74d8010caeb120
SHA256

39bc52912cf67b1d653f00b2585e6cc1549e25f891f91baa8d1e66501ef33351
SHA512

5d6669d4de2204e20f8751622be72bc5f47bf4a451c9dbb4f86ca0687e1ed1128f651c1a8f018a2276b0c6e7fb7792fb262f204f91d65f21514d4ffbfddf0356
SSDEEP

6144:Uu3SjaqpYkkrF2rSh64gFz/Kskh1ymcwjkYOoujxj6sl:yja+Yk2KShNsrkzyo47oQN6

Score

8^/10

evasion execution spyware stealer

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4868	sc.exe

Runs .reg file with regedit 3 IoCs

pid	Process
3548	regedit.exe
3612	regedit.exe
1588	regedit.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2052	1384	495865ca486c23161737b692e93eac57_JaffaCakes118.exe	83
PID 1384 wrote to memory of 2052	1384	495865ca486c23161737b692e93eac57_JaffaCakes118.exe	83
PID 1384 wrote to memory of 2052	1384	495865ca486c23161737b692e93eac57_JaffaCakes118.exe	83
PID 2052 wrote to memory of 3548	2052	cmd.exe	95
PID 2052 wrote to memory of 3548	2052	cmd.exe	95
PID 2052 wrote to memory of 3548	2052	cmd.exe	95
PID 2052 wrote to memory of 1972	2052	cmd.exe	96
PID 2052 wrote to memory of 1972	2052	cmd.exe	96
PID 2052 wrote to memory of 1972	2052	cmd.exe	96
PID 2052 wrote to memory of 3440	2052	cmd.exe	97
PID 2052 wrote to memory of 3440	2052	cmd.exe	97
PID 2052 wrote to memory of 3440	2052	cmd.exe	97
PID 2052 wrote to memory of 1448	2052	cmd.exe	98
PID 2052 wrote to memory of 1448	2052	cmd.exe	98
PID 2052 wrote to memory of 1448	2052	cmd.exe	98
PID 2052 wrote to memory of 2148	2052	cmd.exe	100
PID 2052 wrote to memory of 2148	2052	cmd.exe	100
PID 2052 wrote to memory of 2148	2052	cmd.exe	100
PID 2052 wrote to memory of 516	2052	cmd.exe	101
PID 2052 wrote to memory of 516	2052	cmd.exe	101
PID 2052 wrote to memory of 516	2052	cmd.exe	101
PID 2052 wrote to memory of 4988	2052	cmd.exe	102
PID 2052 wrote to memory of 4988	2052	cmd.exe	102
PID 2052 wrote to memory of 4988	2052	cmd.exe	102
PID 2052 wrote to memory of 1940	2052	cmd.exe	103
PID 2052 wrote to memory of 1940	2052	cmd.exe	103
PID 2052 wrote to memory of 1940	2052	cmd.exe	103
PID 2052 wrote to memory of 4048	2052	cmd.exe	104
PID 2052 wrote to memory of 4048	2052	cmd.exe	104
PID 2052 wrote to memory of 4048	2052	cmd.exe	104
PID 2052 wrote to memory of 520	2052	cmd.exe	105
PID 2052 wrote to memory of 520	2052	cmd.exe	105
PID 2052 wrote to memory of 520	2052	cmd.exe	105
PID 2052 wrote to memory of 1412	2052	cmd.exe	106
PID 2052 wrote to memory of 1412	2052	cmd.exe	106
PID 2052 wrote to memory of 1412	2052	cmd.exe	106
PID 2052 wrote to memory of 332	2052	cmd.exe	107
PID 2052 wrote to memory of 332	2052	cmd.exe	107
PID 2052 wrote to memory of 332	2052	cmd.exe	107
PID 2052 wrote to memory of 1232	2052	cmd.exe	108
PID 2052 wrote to memory of 1232	2052	cmd.exe	108
PID 2052 wrote to memory of 1232	2052	cmd.exe	108
PID 2052 wrote to memory of 1380	2052	cmd.exe	109
PID 2052 wrote to memory of 1380	2052	cmd.exe	109
PID 2052 wrote to memory of 1380	2052	cmd.exe	109
PID 2052 wrote to memory of 4176	2052	cmd.exe	110
PID 2052 wrote to memory of 4176	2052	cmd.exe	110
PID 2052 wrote to memory of 4176	2052	cmd.exe	110
PID 2052 wrote to memory of 964	2052	cmd.exe	111
PID 2052 wrote to memory of 964	2052	cmd.exe	111
PID 2052 wrote to memory of 964	2052	cmd.exe	111
PID 2052 wrote to memory of 4108	2052	cmd.exe	112
PID 2052 wrote to memory of 4108	2052	cmd.exe	112
PID 2052 wrote to memory of 4108	2052	cmd.exe	112
PID 2052 wrote to memory of 232	2052	cmd.exe	113
PID 2052 wrote to memory of 232	2052	cmd.exe	113
PID 2052 wrote to memory of 232	2052	cmd.exe	113
PID 2052 wrote to memory of 4476	2052	cmd.exe	114
PID 2052 wrote to memory of 4476	2052	cmd.exe	114
PID 2052 wrote to memory of 4476	2052	cmd.exe	114
PID 2052 wrote to memory of 3660	2052	cmd.exe	115
PID 2052 wrote to memory of 3660	2052	cmd.exe	115
PID 2052 wrote to memory of 3660	2052	cmd.exe	115
PID 2052 wrote to memory of 3908	2052	cmd.exe	116

Views/modifies file attributes 1 TTPs 22 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3440	attrib.exe
516	attrib.exe
4176	attrib.exe
964	attrib.exe
4476	attrib.exe
4376	attrib.exe
1448	attrib.exe
2148	attrib.exe
4988	attrib.exe
4048	attrib.exe
232	attrib.exe
3660	attrib.exe
3908	attrib.exe
1408	attrib.exe
4108	attrib.exe
1972	attrib.exe
1940	attrib.exe
520	attrib.exe
1412	attrib.exe
332	attrib.exe
1232	attrib.exe
1380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\495865ca486c23161737b692e93eac57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\495865ca486c23161737b692e93eac57_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~9AC9.bat "C:\Users\Admin\AppData\Local\Temp\495865ca486c23161737b692e93eac57_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s rem.reg
    3⤵
    - Runs .reg file with regedit
    PID:3548
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\avgautostart.reg
    3⤵
    - Views/modifies file attributes
    PID:1972
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\wget.exe
    3⤵
    - Views/modifies file attributes
    PID:3440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\cfet.exe
    3⤵
    - Views/modifies file attributes
    PID:1448
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\cfett.exe
    3⤵
    - Views/modifies file attributes
    PID:2148
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\inetload.exe
    3⤵
    - Views/modifies file attributes
    PID:516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\inetill.exe
    3⤵
    - Views/modifies file attributes
    PID:4988
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\fs.exe
    3⤵
    - Views/modifies file attributes
    PID:1940
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\ncftppu.exe
    3⤵
    - Views/modifies file attributes
    PID:4048
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\sys.exe
    3⤵
    - Views/modifies file attributes
    PID:520
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\firsttimer.exe
    3⤵
    - Views/modifies file attributes
    PID:1412
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\firsttime.exe
    3⤵
    - Views/modifies file attributes
    PID:332
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\slp.exe
    3⤵
    - Views/modifies file attributes
    PID:1232
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\hpclnt.exe
    3⤵
    - Views/modifies file attributes
    PID:1380
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\inetill_service.exe
    3⤵
    - Views/modifies file attributes
    PID:4176
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\hpsrv.exe
    3⤵
    - Views/modifies file attributes
    PID:964
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\hpload.reg
    3⤵
    - Views/modifies file attributes
    PID:4108
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\system32\ftpcmr.exe
    3⤵
    - Views/modifies file attributes
    PID:232
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Dokumente und Einstellungen\All Users\Startmenⁿ\Programme\Autostart\ftpcmrs.exe"
    3⤵
    - Views/modifies file attributes
    PID:4476
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftpcmrs.exe"
    3⤵
    - Views/modifies file attributes
    PID:3660
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ftpcmrs.exe"
    3⤵
    - Views/modifies file attributes
    PID:3908
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\help\*.bat
    3⤵
    - Views/modifies file attributes
    PID:1408
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s rem.reg
    3⤵
    - Runs .reg file with regedit
    PID:3612
- - C:\Windows\SysWOW64\net.exe
    net stop Internet_Service
    3⤵
    PID:1020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Internet_Service
      4⤵
      PID:4960
- - C:\Windows\SysWOW64\sc.exe
    sc delete Internet_Service
    3⤵
    - Launches sc.exe
    PID:4868
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s rem.reg
    3⤵
    - Runs .reg file with regedit
    PID:1588
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 1 -f
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h C:\Windows\help\*.bat
    3⤵
    - Views/modifies file attributes
    PID:4376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3958855 /state1:0x41c64e6d
1⤵
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~9AC9.bat

Filesize
4KB

MD5
a67b9e6e1721004b049d8fef7ac27b51

SHA1
e7953a94fea2c27a7cf00cd1b1cbf7ebed59a24e

SHA256
0ad0ec03837edb6341511097c0e8086e69127b0358c0597d05a4ed8ac6fb9d20

SHA512
b93f670eb0cde09bdf6a1ffc34330aa2801ab8a28fcea2eccfe223ef1affe1c6bfb44356be7b582e0bbd70223e27ff5be4d350b4bf8bec9ed9effd1dcf1dfdc5

Download Submit
memory/1384-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1384-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1384-5-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1384-9-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download