Overview

overview

10

Static

static

3

668a025022...18.exe

windows7-x64

10

668a025022...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 06:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe

  • Size

    200KB

  • MD5

    668a025022e6c8fe47aa0c5e8030e6e0

  • SHA1

    04c7630a794b771a9ef1d980b0b2b66998bdc32b

  • SHA256

    a4403195b981f290922312ff5f0464f5fc9719b12dfd38da9639b5cf31ac9846

  • SHA512

    183883d70550a9c333fbb68ddd93c6e7b060978144e693812282da25db6d2d45fad30e05738dbe3e3c96f9565039787aed5ae4fd845afbfea2fa62a5d1e63422

  • SSDEEP

    6144:KSoKfASZZwg+wLoHZdgleUU7v8yav8d45rnhSG:KAASUmLnkJa0d4r

Score
10/10
spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    Smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    killllllll

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\668a025022e6c8fe47aa0c5e8030e6e0_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yh0tu6x.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7F8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7F7.tmp"
        3⤵
          PID:2296
      • C:\Users\Admin\AppData\Local\Temp\Microsoftlog.exe
        "C:\Users\Admin\AppData\Local\Temp\Microsoftlog.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4yh0tu6x.dll
      Filesize

      5KB

      MD5

      f4b140d7cdcb67f6513aad5ea822aa8b

      SHA1

      18825ddd1561fcffccfe0cf0b937b89038c87bdb

      SHA256

      da475a75ff0729d6bfbbc36d88c52de7477af228e118e063fc2afee8a07ca59b

      SHA512

      9dda737cfa878d479b148c6abcc711ef6196f72c2a8956338efb37704b1b2a278551cc983e37f164f469eed3be8dc822df461c7853b39c3f6e3366a9e8ae5580

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESD7F8.tmp
      Filesize

      1KB

      MD5

      002bf477cac597cf0cd54ad365c5d9c8

      SHA1

      2f17a5a3f320f1055daa2b5e878ffec74e6ed9ff

      SHA256

      559d875a7e0dab2e1832f3380e4f3dc756628fae0451f195337dc251885b6f8e

      SHA512

      a77cc5982338f39cc22d51c8d404135ec78b5e9d00d7590f74030d986e204dc28fb62984247626744786bb8af3919049ac6f0c1e47aa30f90ebcac753ae1cf19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\log.txt
      Filesize

      8KB

      MD5

      4b6e2baaba6ca14db8210673d8ef5a44

      SHA1

      68c2cf724807765705c90ab3c8c6d62cfad60a71

      SHA256

      1f7d4f5cc778744f78451ae0952c5d7a7541f9a7665f5d11463794d9893abd6d

      SHA512

      df19c472bfc5fece29771cd93e27a3b05d9795d34b36698953fca04c510afc17b3928d1f97c0b847ed6760731ff0467f2a735339fc9f97f4ae7d900a40ee21f3

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\4yh0tu6x.0.cs
      Filesize

      5KB

      MD5

      cb25540570735d26bf391e8b54579396

      SHA1

      135651d49409214d21348bb879f7973384a7a8cb

      SHA256

      922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

      SHA512

      553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\4yh0tu6x.cmdline
      Filesize

      206B

      MD5

      920125d36fd9e8fd154ee0bedfd8b55d

      SHA1

      04d2a10dd8c18e8498451ff30a99fe1611c00506

      SHA256

      bc5f7f1bce711b35e32a82cb35ba46755433f13dfa9f39044f433f1595c0ab29

      SHA512

      a4c1bc9c0de461299750678a93ce45ce5280ad7368d2a79dffd51ea3dddad19371be7e06e04ce9fe356690fc6f9f3ca4ddfbc442d231c71dde8fb1c2e86a9afb

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCD7F7.tmp
      Filesize

      652B

      MD5

      e66cc889b5c73ca93b4b9fa1c68cbc4d

      SHA1

      71431b4bbc7f7e311727b80db9cb98b90a4bffcb

      SHA256

      943417be1958e797486075806efd3b69869f55670c0a2ec7539e544eb10a32e9

      SHA512

      ec3d304e86277f066e79cdb9c2878ea4687e31eedbc8858f91c150b9799ce8fa8f5df11a75aafe19e7413970c527253f36ac7e90e8661fa69eb559a6b69958a7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Microsoftlog.exe
      Filesize

      114KB

      MD5

      1f5200c4744dc14545459a89654c58d1

      SHA1

      2703232ecad2953736f855fe1dc76ad3ee45578c

      SHA256

      dc166d945fcc6e0babb9b89838fc1f613c35caffa1b9b39a50828ce89a638297

      SHA512

      e802ac4ac42d98db86422eb9e2b0f4814b471eec8eb63d5f55286a0575ee9d9918c06bcd846bca26b9c8715923a9f6f63305f13b40bbe603a5ba47ba17c86557

      Download Submit

    • memory/1872-29-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1872-19-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1872-2-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1872-0-0x0000000074341000-0x0000000074342000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1872-30-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1872-32-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1872-1-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2360-15-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2360-8-0x0000000074340000-0x00000000748EB000-memory.dmp

      Filesize

      5.7MB

      Download