Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
19/07/2024, 04:05
General
-
Target
5a65825ba178c13015ed05666b247cdb_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
5a65825ba178c13015ed05666b247cdb
-
SHA1
f0c977e7d643537ff4f836700e75c01ea2ba205d
-
SHA256
17bcaa3a363e9f256881771f1ee97ade29dc760c6259e82df3ac056c73c4aa97
-
SHA512
1e63f64498d7fc40779698ab22d8fe04e105c84cb4a861a61dc198b4c8bb197762e274f8f0b67584a504c6dc4a34ab6c384622b642a783412c6a25633a603a57
-
SSDEEP
24576:pGZ8mmY5Ma+jq05cBgKxySbRSN5Y2CDLyvzv9XyNW/sh6GvBbJKZQ4cyiQ9obI:pG+mZMa+e0TcZdlDDWvzv9Cs0o2BbJKl
Malware Config
Signatures
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a65825ba178c13015ed05666b247cdb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a65825ba178c13015ed05666b247cdb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\37345.exe"C:\Users\Admin\AppData\Local\Temp\37345.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\47063.exe"C:\Users\Admin\AppData\Local\Temp\47063.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"netsh.exe" firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Users\Admin\AppData\Local\Temp\dialup.exeC:\Users\Admin\AppData\Local\Temp\dialup.exe /stext C:\Users\Admin\AppData\Local\Temp\du.txt3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\passwordfox.exeC:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5bbd9d5bb5d7e429ac5b00e775bc9f00e
SHA17d447e4b6135c8065f9a611624b9f02207a40d41
SHA256056702a14c5367f6dc50fd1e41515e0a756c999e206196d4e4014cfe41869c3d
SHA51275a3f81f4e57f03ab4410810fb69306ce20d048da16418404bae32d08de5d788b633b69498244b75d452effb2ae528f610d984ace97765cc3c6ab7f1f7b1bdd0
-
Filesize
532KB
MD51690de336b22173f7ff4602618ee3fb7
SHA1c2999b3f00becf1af55c70fdcb80c27d4638d9c5
SHA256a294d76a8e2484fbbc43040d27fbe84caa71b172ad51f34ee34d14ed2d5e7bfc
SHA5125aa412ebab56c0e2c25dbd14b58a8225d247398a7ec77c3f3f26292ff58dd9dc472eeb8ef944e292601b5512219eb3b6e4a74f07354ab933d6511c75e04fad84
-
Filesize
37KB
MD59c8872c879d0a9d82988920488370864
SHA187ff4231547462e6474c832e28831dd691d83fd4
SHA2568f576d5191721f8fdb47bb22950f43fc8f2c9cc880fe067090ed96e6fcb07a97
SHA5123c413427c46ef92a412840479896841ffd5c6eb9215b8ecc416cdbd4f8e0f2eb643ed3b7f2e18eb5710ba7c55e1cd82af6637285ee364e069503c5ecc187cb2e
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
37KB
MD5a1d6a37917dcf4471486bc5a0e725cc6
SHA15b09f10dc215078ae44f535de12630c38f3b86e3
SHA2568a06acd1158060a54d67098f07c1ff7895f799bc5834179b8aae04d28fb60e17
SHA5125798a5d85052d5c2f6b781b91a400c85bc96c0127cc4e18079bff1f17bd302dc07c0f015ddf1105621a841680057322eb0172ba06063f55d795b7b079f1d26d2
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB