0839ef2535c7ca36180a7c673ffc7b5551021e2de39fd26a8e2b1861cf706de9

Analysis

max time kernel
141s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe
Size

260KB
MD5

5caa9ab24a9f71727407cf2b53fd50b3
SHA1

b9a3c1210ca5dcb20a7dbb5d715dded43b03d354
SHA256

0839ef2535c7ca36180a7c673ffc7b5551021e2de39fd26a8e2b1861cf706de9
SHA512

6e6bc7ed995e3b1311b730c33e08429fb03d13b225b1f66d6345cb4e3094d9b19452b9e4536fcb053dc7ca46f2a279f1742f6362ff1705657bd826d205832856
SSDEEP

6144:ajEDyVUtKq9o8BC2N6tdTTTbfxXuzJwGhrPN+:ZmVUtKq9o8BC2N6tdTTTbfxwmGhrF

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,C:\\Program Files\\Common Files\\svchost.exe -s"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4336	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\svchost.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Shared.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\log	svchost.exe
File opened for modification	C:\Program Files\Common Files\log\MUEOAWXB	svchost.exe
File opened for modification	C:\Program Files\Common Files\log\MUEOAWXB\20240719161029.cab.bak	svchost.exe
File created	C:\Program Files\Common Files\svchost.exe	5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\drive.tlb	svchost.exe
File created	C:\Program Files\Common Files\log\MUEOAWXB\20240719161029.cab.bak	svchost.exe
File created	C:\Program Files\Common Files\log\MUEOAWXB\20240719161112.cab.bak	svchost.exe
File created	C:\Program Files\Common Files\log\MUEOAWXB\20240719161122.cab.bak	svchost.exe
File created	C:\Program Files\Common Files\log\MUEOAWXB\20240719161124.cab.bak	svchost.exe
File opened for modification	C:\Program Files\Common Files\svchost.exe	5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\log	svchost.exe
File created	C:\Windows\log\20240719161029.cab.bak	svchost.exe
File created	C:\Windows\log\20240719161124.cab	svchost.exe
File created	C:\Windows\log\20240719161122.cab	svchost.exe
File created	C:\Windows\log\20240719161122.cab.bak	svchost.exe
File created	C:\Windows\log\20240719161124.cab.bak	svchost.exe
File opened for modification	C:\Windows\drive.ini	svchost.exe
File created	C:\Windows\log\20240719161029.cab	svchost.exe
File created	C:\Windows\log\20240719161112.cab	svchost.exe
File created	C:\Windows\log\20240719161112.cab.bak	svchost.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4388	ipconfig.exe
4472	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1872	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	NETSTAT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4336	1996	5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe	84
PID 1996 wrote to memory of 4336	1996	5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe	84
PID 1996 wrote to memory of 4336	1996	5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe	84
PID 4336 wrote to memory of 448	4336	svchost.exe	85
PID 4336 wrote to memory of 448	4336	svchost.exe	85
PID 4336 wrote to memory of 448	4336	svchost.exe	85
PID 448 wrote to memory of 4388	448	cmd.exe	87
PID 448 wrote to memory of 4388	448	cmd.exe	87
PID 448 wrote to memory of 4388	448	cmd.exe	87
PID 4336 wrote to memory of 1464	4336	svchost.exe	88
PID 4336 wrote to memory of 1464	4336	svchost.exe	88
PID 4336 wrote to memory of 1464	4336	svchost.exe	88
PID 4336 wrote to memory of 2260	4336	svchost.exe	90
PID 4336 wrote to memory of 2260	4336	svchost.exe	90
PID 4336 wrote to memory of 2260	4336	svchost.exe	90
PID 2260 wrote to memory of 1872	2260	cmd.exe	92
PID 2260 wrote to memory of 1872	2260	cmd.exe	92
PID 2260 wrote to memory of 1872	2260	cmd.exe	92
PID 4336 wrote to memory of 1288	4336	svchost.exe	101
PID 4336 wrote to memory of 1288	4336	svchost.exe	101
PID 4336 wrote to memory of 1288	4336	svchost.exe	101
PID 1288 wrote to memory of 4472	1288	cmd.exe	103
PID 1288 wrote to memory of 4472	1288	cmd.exe	103
PID 1288 wrote to memory of 4472	1288	cmd.exe	103
PID 4336 wrote to memory of 1360	4336	svchost.exe	104
PID 4336 wrote to memory of 1360	4336	svchost.exe	104
PID 4336 wrote to memory of 1360	4336	svchost.exe	104
PID 4336 wrote to memory of 1752	4336	svchost.exe	112
PID 4336 wrote to memory of 1752	4336	svchost.exe	112
PID 4336 wrote to memory of 1752	4336	svchost.exe	112
PID 4336 wrote to memory of 4956	4336	svchost.exe	114
PID 4336 wrote to memory of 4956	4336	svchost.exe	114
PID 4336 wrote to memory of 4956	4336	svchost.exe	114
PID 4336 wrote to memory of 3420	4336	svchost.exe	116
PID 4336 wrote to memory of 3420	4336	svchost.exe	116
PID 4336 wrote to memory of 3420	4336	svchost.exe	116
PID 4336 wrote to memory of 5096	4336	svchost.exe	118
PID 4336 wrote to memory of 5096	4336	svchost.exe	118
PID 4336 wrote to memory of 5096	4336	svchost.exe	118
PID 4336 wrote to memory of 2200	4336	svchost.exe	120
PID 4336 wrote to memory of 2200	4336	svchost.exe	120
PID 4336 wrote to memory of 2200	4336	svchost.exe	120
PID 4336 wrote to memory of 1624	4336	svchost.exe	122
PID 4336 wrote to memory of 1624	4336	svchost.exe	122
PID 4336 wrote to memory of 1624	4336	svchost.exe	122
PID 4336 wrote to memory of 2276	4336	svchost.exe	124
PID 4336 wrote to memory of 2276	4336	svchost.exe	124
PID 4336 wrote to memory of 2276	4336	svchost.exe	124
PID 4336 wrote to memory of 4728	4336	svchost.exe	126
PID 4336 wrote to memory of 4728	4336	svchost.exe	126
PID 4336 wrote to memory of 4728	4336	svchost.exe	126
PID 4336 wrote to memory of 4192	4336	svchost.exe	128
PID 4336 wrote to memory of 4192	4336	svchost.exe	128
PID 4336 wrote to memory of 4192	4336	svchost.exe	128
PID 4336 wrote to memory of 1412	4336	svchost.exe	130
PID 4336 wrote to memory of 1412	4336	svchost.exe	130
PID 4336 wrote to memory of 1412	4336	svchost.exe	130
PID 4336 wrote to memory of 4652	4336	svchost.exe	132
PID 4336 wrote to memory of 4652	4336	svchost.exe	132
PID 4336 wrote to memory of 4652	4336	svchost.exe	132
PID 4336 wrote to memory of 956	4336	svchost.exe	134
PID 4336 wrote to memory of 956	4336	svchost.exe	134
PID 4336 wrote to memory of 956	4336	svchost.exe	134
PID 4336 wrote to memory of 3112	4336	svchost.exe	136

C:\Users\Admin\AppData\Local\Temp\5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5caa9ab24a9f71727407cf2b53fd50b3_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files\Common Files\svchost.exe
  "C:\Program Files\Common Files\svchost.exe" -s
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c set >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c systeminfo >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c netstat -na >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir C:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir D:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir E:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir F:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir G:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir H:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir I:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir J:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir K:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir L:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir M:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir N:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir O:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir P:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir Q:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir R:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir S:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir T:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir U:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir V:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir W:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir X:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c dir Y:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    3⤵
    PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\svchost.exe

Filesize
260KB

MD5
5caa9ab24a9f71727407cf2b53fd50b3

SHA1
b9a3c1210ca5dcb20a7dbb5d715dded43b03d354

SHA256
0839ef2535c7ca36180a7c673ffc7b5551021e2de39fd26a8e2b1861cf706de9

SHA512
6e6bc7ed995e3b1311b730c33e08429fb03d13b225b1f66d6345cb4e3094d9b19452b9e4536fcb053dc7ca46f2a279f1742f6362ff1705657bd826d205832856

Download Submit
C:\Users\Admin\AppData\Local\Temp\alldetails.txt

Filesize
2KB

MD5
a35e48c72fd925be4f39a8f01821b91e

SHA1
930f3704d2440c37ace5ac49a69a00608579a048

SHA256
7920fa58a3162d2ae5715615f7ff7d8bf7ec224c5042f23de08f30f9310964d3

SHA512
112b3ef728c61ddcd28d481571acbc2350a423077e2e1d5a70bf5bbf96655368f97dca1b1448827c0d81630a5773731648304a365cb91887a7f122595ef3aec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\alldetails.txt

Filesize
4KB

MD5
0d53aacc0136da11a257a60c2c0b6e2c

SHA1
16cb63f9f2c75ed171a6d45d7d4cd39c92d3f804

SHA256
edca9d7fa81cb7491cc28f720718bafb5293fabcf95d021167573368d16a951b

SHA512
038ba84469d4994c59fcc544be38d36722dc0a98e761b997beb3c888f899bb6ad50065fff49e4ea28e5c1a70fdaad089786cefec57f3074ced2f268f1f01ee06

Download Submit
C:\Users\Admin\AppData\Local\Temp\alldetails.txt

Filesize
8KB

MD5
2428fab7e4cadc7cd563b071ab9d2463

SHA1
0e6d7a522acd1c259d4cd801773bf65c2d4ea06d

SHA256
a913dd2db1056aacbca64d4778220077b16fbc1efc05c400fb78612857c0a6a5

SHA512
fcca28afe78f755e0b039b94c3b027c773669f5d69d833d211e1878e43583c71ab68d3d51de885305f49b04211e9a7873cca4736132141ea71d4bae8870283dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\alldetails.txt

Filesize
37.3MB

MD5
74b54312274745e3294f4764fb19fd1a

SHA1
7947e4b9ab74a26591bc665ca677a6b1d8b24d5f

SHA256
b2a73397d555726ef81c8005cb25096e023b216fdf5cc612785c5417d7668609

SHA512
b2aa9e83863cf219e8d8afede6a8b41422d91e2af584d2fe8ec7e37a793b1f8bdc5e83c6e015d06179ea501aa7318b1f47f2f9680a86bc4516e4485bf6b85ebc

Download Submit
C:\Windows\drive.ini

Filesize
49B

MD5
d3955f3d6fde7978e1ff0e9bbefea4ee

SHA1
7c067fb93a616b26bf5b2cadf0dbbc4000805b6d

SHA256
7db2f249e3cb6982872e103f1635b6f84960b4c704f0594693c684384d2e75c9

SHA512
23a3aa6ebe4c7065c8c84cf4db54b97abaf3b76c53d0d3ea96c1c59f232b8f2aee3319a9621588991e228ee8079098332f21b81f2c5617edab2e23d60e7f53c8

Download Submit
C:\Windows\log\20240719161029.cab.bak

Filesize
4.0MB

MD5
ccfccb4fdbcdc4b7b5c40be6a77dac64

SHA1
441d612ee7c28172134d29c7568175a9823c1446

SHA256
1f5b2a4ddc9a51ab506dcdc3b0173e68582e7c69e2356df47953c3bf10fc9c1e

SHA512
d344810900723ea48a0f1f3cae4826416b25916561bb9eed88a5e1307a1714e46e803e75a98c614cae93a7095cb1540185f027d185bdea34245c74e06703351d

Download Submit
memory/1996-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1996-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads