Overview

overview

7

Static

static

3

5d56dec0be...18.exe

windows7-x64

7

5d56dec0be...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 19:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe

  • Size

    360KB

  • MD5

    5d56dec0be3cee0baeebfa720dd77400

  • SHA1

    dfff930e8babfad960717c2a3e4850f8e81ec897

  • SHA256

    568d64af64da08ca74d518cc90929928c29679c5d1878a9f876b80842eead411

  • SHA512

    c8d03550f948fea956029e498ba073bdc6d8c4dd1a0cbb195725cf9798b313f16025a757a0eb5b21b4f72c6e31e460df5676e7971fcc10dc981bf82855b7f071

  • SSDEEP

    6144:x1pVeNYX/odGomfYyOUdFNFGFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFk:3pVeNVgFNFGFOFwcGF6cmFWc0FWc8cIl

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Roaming\Windows Firewall\Avira_AntiVir_Control_Center.exe
      "C:\Users\Admin\AppData\Roaming\Windows Firewall\Avira_AntiVir_Control_Center.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1896
    • C:\Users\Admin\AppData\Roaming\Windows Firewall\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\Windows Firewall\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720

Network

  • flag-us
    DNS
    whatismyip.com
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyip.com
    IN A
    Response
    whatismyip.com
    IN A
    104.27.206.92
    whatismyip.com
    IN A
    104.27.207.92
  • flag-us
    GET
    http://whatismyip.com/automation/n09230945.asp
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    Remote address:
    104.27.206.92:80
    Request
    GET /automation/n09230945.asp HTTP/1.1
    Host: whatismyip.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 19 Jul 2024 19:28:44 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Fri, 19 Jul 2024 20:28:44 GMT
    Location: https://www.whatismyip.com/api/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MSab82EkIA9Fpi12Rt4XMYPqmEtGnQWgIGCEhqgoFKlvhTH274QaR%2BjQ2DdDT43cbgzKCekfxnsqFvtbV%2FLNom%2BdBYGqyQttxkUMa0wrM8k33fKLCW%2Fy5P123hpSPKtJ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8a5d1dc7aaa39455-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    www.whatismyip.com
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    www.whatismyip.com
    IN A
    Response
    www.whatismyip.com
    IN A
    104.27.206.92
    www.whatismyip.com
    IN A
    104.27.207.92
  • 104.27.206.92:80
    http://whatismyip.com/automation/n09230945.asp
    http
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    370 B
     1.9kB
     6
    4

    HTTP Request

    GET http://whatismyip.com/automation/n09230945.asp

    HTTP Response

    301
  • 104.27.206.92:443
    www.whatismyip.com
    tls
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    352 B
     219 B
     5
    5
  • 104.27.206.92:443
    www.whatismyip.com
    tls
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    352 B
     219 B
     5
    5
  • 8.8.8.8:53
    whatismyip.com
    dns
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    60 B
     92 B
     1
    1

    DNS Request

    whatismyip.com

    DNS Response

    104.27.206.92
    104.27.207.92

  • 8.8.8.8:53
    www.whatismyip.com
    dns
    5d56dec0be3cee0baeebfa720dd77400_JaffaCakes118.exe
    64 B
     96 B
     1
    1

    DNS Request

    www.whatismyip.com

    DNS Response

    104.27.206.92
    104.27.207.92

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Windows Firewall\MSN.txt
    Filesize

    2B

    MD5

    81051bcc2cf1bedf378224b0a93e2877

    SHA1

    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    SHA256

    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    SHA512

    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows Firewall\winlogon.exe
    Filesize

    360KB

    MD5

    5d56dec0be3cee0baeebfa720dd77400

    SHA1

    dfff930e8babfad960717c2a3e4850f8e81ec897

    SHA256

    568d64af64da08ca74d518cc90929928c29679c5d1878a9f876b80842eead411

    SHA512

    c8d03550f948fea956029e498ba073bdc6d8c4dd1a0cbb195725cf9798b313f16025a757a0eb5b21b4f72c6e31e460df5676e7971fcc10dc981bf82855b7f071

    Download Submit

  • \Users\Admin\AppData\Roaming\Windows Firewall\Avira_AntiVir_Control_Center.exe
    Filesize

    24KB

    MD5

    7e79d336c4475489c14762dceecb4029

    SHA1

    62aa924398ec51de6b621e734b6356329177519e

    SHA256

    1336ac983c6d87bfceccb5850a0883bbd07f533af82a0338323b741dbfd2d3cd

    SHA512

    875f99c1b6abcd7c4d646b3bfc90331611198db67e4a1552fa53b39cbbc876e06cb4b1a915aac2fd10af21c33fc0d60a8859ad9c4f36c3448a83e19c879a1db2

    Download Submit

  • memory/2720-29-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2720-33-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-2-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-3-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-4-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-5-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-1-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3024-6-0x0000000002060000-0x000000000206C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3024-0-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-32-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.