Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 08:05
Behavioral task
behavioral1
Sample
567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe
-
Size
5.6MB
-
MD5
567d10dc616a037e225b1a669a2cf7f9
-
SHA1
5341202e2572b57293fdb1ba328f2656e5ee4da2
-
SHA256
95b27d71fe29def39d849d337649ef73d189262a10f9e35dca407176c98bdc2f
-
SHA512
25e541fcc518c408ac5f453fc8ede349d186cd984cc8b8ad774a29fbd874ce15eb6c65d164371d55ae5f9265bde73cb3cd8eea067a52ecb9b09b49a6cf744b4a
-
SSDEEP
98304:5XdiSRAXXY2Ru8/fFxRtJSr9lXzPKk1/73esGItrROT4u27Mr3XQ7FsQvsw0R:5tiSRCXY2H/fFxRzojb1/rGIIXQ7SN
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/892778422043041873/gYqLiMf-cpigl0WIlIn8gWAFktijHzZBx8-bcU6yxyaLimlCeY0552wy36J78fXd1Na8
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Insidious.exeNetsh Gang Bat.exepid process 2752 Insidious.exe 636 Netsh Gang Bat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3592-10-0x0000000000400000-0x0000000000D34000-memory.dmp vmprotect behavioral2/memory/3592-12-0x0000000000400000-0x0000000000D34000-memory.dmp vmprotect behavioral2/memory/3592-9-0x0000000000400000-0x0000000000D34000-memory.dmp vmprotect behavioral2/memory/3592-41-0x0000000000400000-0x0000000000D34000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 freegeoip.app 27 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exepid process 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Insidious.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exeInsidious.exepid process 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe 2752 Insidious.exe 2752 Insidious.exe 2752 Insidious.exe 2752 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Insidious.exedescription pid process Token: SeDebugPrivilege 2752 Insidious.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exedescription pid process target process PID 3592 wrote to memory of 2752 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe Insidious.exe PID 3592 wrote to memory of 2752 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe Insidious.exe PID 3592 wrote to memory of 636 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe Netsh Gang Bat.exe PID 3592 wrote to memory of 636 3592 567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe Netsh Gang Bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\567d10dc616a037e225b1a669a2cf7f9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe"C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe"2⤵
- Executes dropped EXE
PID:636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d1797977620f7272114f22dfc9189198
SHA13edd5fa1831e8f397779142410d6567fbff38731
SHA256a28701c22983319150b517dfb3e766d26ebd4dd21e6526c23f410ad55a5fecfd
SHA512af45f03cf14544a70e7a5539b673b3c528774857d72f21944c3d8f48205dffa412faf22d92ef58e05796d22bb4d6c7d18d887147e7c7b5e1442514be19cb404d
-
Filesize
274KB
MD52449b1ed616ff673f7207683e618c36a
SHA12324a0a9228eb38895256f6e4b38508e3ad3fbf9
SHA256a01857befcc1726e1026037eefaede516b0ade74ed196cb87c2bf4ee17096923
SHA51284789d137c3a1617aa670d72296a5346d9f341d4a9bad20336bce1a36452272a6b5aac0f340bf3e6642329146685ad21de8e12962863bf1d9c698f6c6cbdb886
-
Filesize
122KB
MD522f7d003c8304329e091ec4d12da5936
SHA10d96344082ad8a05c4d811522776cfeefe3fa2b0
SHA256c97ab40a01f9c6fb2a866134f401bb5d86f4a9d97b28bd1d81d95704099f91fd
SHA512fbb352838a5202b2e9ba1ac951a47f4734609a457a8a8419efea5bd768599be8e54095546b954ba68d7e1b7eebe6b220fc2d50201538bdf123eb21eb152b5782