Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
5842335503404a570eb9263542504d63_JaffaCakes118.jar
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5842335503404a570eb9263542504d63_JaffaCakes118.jar
Resource
win10v2004-20240709-en
General
-
Target
5842335503404a570eb9263542504d63_JaffaCakes118.jar
-
Size
905KB
-
MD5
5842335503404a570eb9263542504d63
-
SHA1
505cce556054c1a2c6a59a6f3203c6d0cda8b7fc
-
SHA256
6cadc1a284604c4ec3ba8655e5b933bc7df036e6eb84685d7a6ca0e40c17d575
-
SHA512
08e46be059022861fa9909303ab83bef4cf917d711b1b2054640d33eac64a57a242181f73f8cbf3034e8615f319034a44fba8ac3065183a70b0e5cd02000d9ff
-
SSDEEP
24576:khlynSEg/rfZI1/wicY0hFo8150dkM++cp+VD3:SlmGG15oht2ss
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ihemeg1986
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 32 IoCs
Processes:
resource yara_rule behavioral2/memory/2748-45-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-49-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-53-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-107-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-93-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-79-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-77-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-75-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-73-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-71-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-69-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-65-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-63-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-61-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-59-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-57-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-51-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-67-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-55-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-109-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-105-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-103-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-101-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-99-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-97-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-95-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-91-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-89-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-87-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-85-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-83-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger behavioral2/memory/2748-81-0x0000000000400000-0x00000000004B0000-memory.dmp family_masslogger -
Executes dropped EXE 1 IoCs
Processes:
p16hIwD.exepid Process 1436 p16hIwD.exe -
Loads dropped DLL 2 IoCs
Processes:
p16hIwD.exepid Process 1436 p16hIwD.exe 1436 p16hIwD.exe -
Accesses Microsoft Outlook profiles 1 TTPs 18 IoCs
Processes:
MSBuild.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
p16hIwD.exedescription pid Process procid_target PID 1436 set thread context of 2748 1436 p16hIwD.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000800000002344e-27.dat nsis_installer_1 behavioral2/files/0x000800000002344e-27.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
p16hIwD.exeMSBuild.exepid Process 1436 p16hIwD.exe 1436 p16hIwD.exe 1436 p16hIwD.exe 1436 p16hIwD.exe 1436 p16hIwD.exe 1436 p16hIwD.exe 1436 p16hIwD.exe 1436 p16hIwD.exe 2748 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
p16hIwD.exepid Process 1436 p16hIwD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 2748 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid Process 1888 java.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
java.exep16hIwD.exedescription pid Process procid_target PID 1888 wrote to memory of 1436 1888 java.exe 87 PID 1888 wrote to memory of 1436 1888 java.exe 87 PID 1888 wrote to memory of 1436 1888 java.exe 87 PID 1436 wrote to memory of 2748 1436 p16hIwD.exe 89 PID 1436 wrote to memory of 2748 1436 p16hIwD.exe 89 PID 1436 wrote to memory of 2748 1436 p16hIwD.exe 89 PID 1436 wrote to memory of 2748 1436 p16hIwD.exe 89 -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc Process Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc Process Key queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\5842335503404a570eb9263542504d63_JaffaCakes118.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\p16hIwD.exeC:\Users\Admin\p16hIwD.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Users\Admin\p16hIwD.exe3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD57cc0f4a9693723bcfdccfb3ab0336cc4
SHA108e4d23651c45064369f61622625b44b926d55d5
SHA2560a8ca816133bd54cfcf867b08466ef637a34ec05cc8b2f6c5a25790fa6cb2945
SHA51285651944816c7f2a2e304d0b48b24d24374a66cb4687097644c546f44a55971aadba67e31fbc69bf5ac61183959ddc8fc1c9ca460ced5e9b530d72f8f29febff
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
742KB
MD54a7839a3df1f6ddfe599b2db6ac68849
SHA17c6ff25e863f118080ba3e32456aa7efb4dd6a93
SHA256143cd94e43f3988d20e7cb621184e4d1031175e2c11e6d64ee9d00e01750bd82
SHA512088ba6c450007c85955dac9f42f7a55178e0a16e853b10f91bf9cbb6fe9c9666d721aad111ae37b17d09dfe8ade38b35e18e2f00b37ac0ddeaaef70e76e5cda7