54817c4ff1692d76bfd12825f14ff3279d11b53b350fcbc44b0c701d39121b0b

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Size

704KB
MD5

64bcd21d2c580325590cb65df5ab9760
SHA1

da77bb3249dbc03a20e0ab1bfd1649a19196e754
SHA256

54817c4ff1692d76bfd12825f14ff3279d11b53b350fcbc44b0c701d39121b0b
SHA512

1e33364b7ac56fa7fd84f04462002480dfb7350c33a4dbf3ec5d7585ab05e4857eb747dd13d248b9f851ade6ee92993fa78e56651748b28fdc91cbe70a72133f
SSDEEP

12288:t0+OFHrTbVrrMo+G4R/cD6wtPgvDQoyazsfh3HG2vG/7sCOHXsfGrC1uhOeE:IJZUF5R/c4rwFHG2C7sbHn2aO5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	iStealer 3.0.exe

Loads dropped DLL 1 IoCs

pid	Process
2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Token: 33	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Token: 33	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
Token: 33	2840	iStealer 3.0.exe
Token: SeIncBasePriorityPrivilege	2840	iStealer 3.0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	iStealer 3.0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2840	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe	29
PID 2152 wrote to memory of 2840	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe	29
PID 2152 wrote to memory of 2840	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe	29
PID 2152 wrote to memory of 2840	2152	64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64bcd21d2c580325590cb65df5ab9760_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\iStealer\3, 0, 0, 0\2010.08.04T23.59\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\iStealer 3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\iStealer 3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Xenocode\Sandbox\iStealer\3, 0, 0, 0\2010.08.04T23.59\Virtual\STUBEXE\8.0.1112\@APPDATALOCAL@\Temp\iStealer 3.0.exe

Filesize
17KB

MD5
e149575c958af10851e9d141a6c33d40

SHA1
9390b4ccbf2b3accd2309a6efd77205f9f09fd4f

SHA256
48ab5b8f64b0600a5eb1ad24a883243be55f113c3ef380f3e87fa2dc49001210

SHA512
d66b1dd6278915f4373bb50169cda71f4052b87bc0420dbb492099516fef8f2ddd9f296031483893fd07db7815cad0232864ca6ffe5e8175f2a0ff007dbd82cb

Download Submit
memory/2152-6-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2152-16-0x00000000004D0000-0x0000000000542000-memory.dmp

Filesize
456KB

Download
memory/2152-4-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2152-3-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2152-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2152-1-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2152-0-0x00000000004D0000-0x0000000000542000-memory.dmp

Filesize
456KB

Download
memory/2152-7-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2152-5-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/2152-9-0x00000000004D0000-0x0000000000542000-memory.dmp

Filesize
456KB

Download
memory/2152-8-0x00000000004D0000-0x0000000000542000-memory.dmp

Filesize
456KB

Download
memory/2152-23-0x00000000004D0000-0x0000000000542000-memory.dmp

Filesize
456KB

Download
memory/2840-13-0x000000000045A000-0x00000000004B7000-memory.dmp

Filesize
372KB

Download
memory/2840-14-0x00000000004B1000-0x00000000004B7000-memory.dmp

Filesize
24KB

Download
memory/2840-15-0x00000000004B1000-0x00000000004B7000-memory.dmp

Filesize
24KB

Download
memory/2840-17-0x0000000000400000-0x00000000004B649D-memory.dmp

Filesize
729KB

Download
memory/2840-21-0x0000000000400000-0x00000000004B649D-memory.dmp

Filesize
729KB

Download
memory/2840-12-0x0000000000400000-0x00000000004B649D-memory.dmp

Filesize
729KB

Download