Overview

overview

10

Static

static

7

51b9711c56...18.exe

windows7-x64

10

51b9711c56...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 05:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51b9711c5637cdf4a5b44f6dd9bb3eda_JaffaCakes118.exe

  • Size

    3.8MB

  • MD5

    51b9711c5637cdf4a5b44f6dd9bb3eda

  • SHA1

    b4851f0f4a1568130763142dfecce532f8dca6e3

  • SHA256

    dd11659543b958d2dd58b0a694a2c574aaf94f5edd8689860e9c4a36b5530cee

  • SHA512

    69347285283b80d45e2f988500d54fba9fcb5fb6711f33cb92d12d8ce71deb088027a8e57ec525906f12133b75a12ed5b03b66e8a4bc06ee229fd15270a8a0f8

  • SSDEEP

    98304:zHDIrXrCr0zwGfGmxDw8Ea2vmq/CAtnx/9uQa9:zjIrWIzbfBDwTa2e5Ahx/9Ba

Score
10/10
darkstealerechelonbackdoorcollectionevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Darkstealer

    Darkstealer is a file grabber, data stealer, and RAT.

    trojanbackdoordarkstealer
  • Detects Echelon Stealer payload 3 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Echelon - DarkStealer Fork 3 IoCs

    Payload resembles modified variant of Echelon Stealer called DarkStealer.

    stealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51b9711c5637cdf4a5b44f6dd9bb3eda_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\51b9711c5637cdf4a5b44f6dd9bb3eda_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Accesses Microsoft Outlook profiles
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:3052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1844
      2⤵
      • Program crash
      PID:4976
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3052 -ip 3052
    1⤵
      PID:2348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3052-0-0x0000000000DC0000-0x0000000001788000-memory.dmp

      Filesize

      9.8MB

      Download

    • memory/3052-2-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-1-0x0000000076E60000-0x0000000076E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-5-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-4-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-3-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-8-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-7-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-6-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-9-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3052-13-0x0000000000DC0000-0x0000000001788000-memory.dmp

      Filesize

      9.8MB

      Download

    • memory/3052-14-0x0000000000DC0000-0x0000000001788000-memory.dmp

      Filesize

      9.8MB

      Download

    • memory/3052-15-0x0000000006150000-0x00000000061B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3052-20-0x0000000006B70000-0x0000000006C0C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3052-22-0x0000000000DC0000-0x0000000001788000-memory.dmp

      Filesize

      9.8MB

      Download

    • memory/3052-23-0x0000000076E40000-0x0000000076F30000-memory.dmp

      Filesize

      960KB

      Download