5bff5903afde2d37f1a099b40d823b40eae3eaf0d6b1273614a55cbcbc3e9ed5

Analysis

max time kernel
142s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe
Size

322KB
MD5

5e8f9d47496d8b32d08178d59fe9d8be
SHA1

39d3ed32a46902ae480557c2842defa34169813d
SHA256

5bff5903afde2d37f1a099b40d823b40eae3eaf0d6b1273614a55cbcbc3e9ed5
SHA512

384f392b093a2dea8d63fd590aa95354208e2e47c9d4b08eeb53de457681f5c0d8547e878a41473ebf3eb0757d1cf0464356146d14d6f10a5ce96b3492eab628
SSDEEP

6144:PN1hMAwD9WyiQiSJE++Zsu7RqaOVDZN97ZLG50ARZHGdWz47btNoSk:PXGAw5fiLSJEb94VNnC5bND47btNoSk

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1360	explorer.exe
216	A548.tmp

Loads dropped DLL 64 IoCs

pid	Process
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp
216	A548.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2940-0-0x0000000000B30000-0x0000000000BC1000-memory.dmp	upx
behavioral2/files/0x0009000000023449-3.dat	upx
behavioral2/memory/1360-5-0x00000000006B0000-0x0000000000741000-memory.dmp	upx
behavioral2/memory/1360-259-0x00000000006B0000-0x0000000000741000-memory.dmp	upx
behavioral2/memory/2940-260-0x0000000000B30000-0x0000000000BC1000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002349f-9.dat	nsis_installer_1
behavioral2/files/0x000700000002349f-9.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main	A548.tmp
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\SearchScopes	A548.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS	A548.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Restore = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	A548.tmp
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\SearchScopes\{E97FE316-EA8E-7A57-3B26-D5A0B88D26F9}	A548.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E97FE316-EA8E-7A57-3B26-D5A0B88D26F9}\DisplayName = "Yahoo!"	A548.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{E97FE316-EA8E-7A57-3B26-D5A0B88D26F9}"	A548.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E97FE316-EA8E-7A57-3B26-D5A0B88D26F9}\URL = "http://www.whitesmokestart.com/s/?q={searchTerms}&iesrc=IE-SearchBox&site=Yahoo!&cfg=2-267-0-0"	A548.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E97FE316-EA8E-7A57-3B26-D5A0B88D26F9}\FaviconURLFallback = "http://m.www.yahoo.com/favicon.ico"	A548.tmp
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	A548.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	A548.tmp

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.whitesmokestart.com/?cfg=2-267-0-0"	A548.tmp

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe
2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe
2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe
2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1360	2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe	85
PID 2940 wrote to memory of 1360	2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe	85
PID 2940 wrote to memory of 1360	2940	5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe	85
PID 1360 wrote to memory of 216	1360	explorer.exe	88
PID 1360 wrote to memory of 216	1360	explorer.exe	88
PID 1360 wrote to memory of 216	1360	explorer.exe	88

C:\Users\Admin\AppData\Local\Temp\5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e8f9d47496d8b32d08178d59fe9d8be_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\explorer.exe" /X
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\A548.tmp
    "C:\Users\Admin\AppData\Local\Temp\A548.tmp" /S /DEFAULTSEARCH /TOOLBAR /DEFAULTSTART /CHANNEL="5214"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A548.tmp

Filesize
245KB

MD5
b2c1ecbb4e673505e9248a25dfc286b0

SHA1
dd472f78c5e8591ad7c57435c67b46cfabafafcf

SHA256
4dda42df9fe0ae768b89e119656e98553341f5f8307ad23614b91f3403080318

SHA512
753a46eeef549f2a04a2530cd617c520ca8599576c0143563cd11fa55f1304bdebe0398dfc001769bd63023ff7bf83c9a62643e1284d1a05f2b60c0c5d03a033

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
322KB

MD5
5e8f9d47496d8b32d08178d59fe9d8be

SHA1
39d3ed32a46902ae480557c2842defa34169813d

SHA256
5bff5903afde2d37f1a099b40d823b40eae3eaf0d6b1273614a55cbcbc3e9ed5

SHA512
384f392b093a2dea8d63fd590aa95354208e2e47c9d4b08eeb53de457681f5c0d8547e878a41473ebf3eb0757d1cf0464356146d14d6f10a5ce96b3492eab628

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\inetc.dll

Filesize
20KB

MD5
2f94245152dbd233e248909f9c01c578

SHA1
ab4e5879c001b36a2f9ff214946599fd015edda9

SHA256
4c4d85eb9725fc7fade03467990e3dd9671c29a7870c97e69babc2cb3c9adef9

SHA512
f92830de27d6663be5e0df9e32cd88732bc7ee93b14c1ded65258c325d22436400801aff1124f40400c6c3b3c16e71deb08436714716f3888d13a8a6b6a32231

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\linker.dll

Filesize
6KB

MD5
8450b29ee8d592c208ba1aaf6ee50267

SHA1
75096da057bc85cef63bb0eec168652ea75cf618

SHA256
53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

SHA512
d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA615.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/216-25-0x0000000002430000-0x000000000244A000-memory.dmp

Filesize
104KB

Download
memory/1360-5-0x00000000006B0000-0x0000000000741000-memory.dmp

Filesize
580KB

Download
memory/1360-259-0x00000000006B0000-0x0000000000741000-memory.dmp

Filesize
580KB

Download
memory/2940-0-0x0000000000B30000-0x0000000000BC1000-memory.dmp

Filesize
580KB

Download
memory/2940-260-0x0000000000B30000-0x0000000000BC1000-memory.dmp

Filesize
580KB

Download