Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/07/2024, 15:23

General

  • Target

    681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

  • Size

    309KB

  • MD5

    681f4d4923414f8c803c67d39c2808b7

  • SHA1

    1a3eaf39a3678f21454851d549cc8e936a7c2170

  • SHA256

    2279c0b4fafbae6773c124bde2ed0ceb249f8917211b10b45d90db257462d012

  • SHA512

    0a8cab079648f6a02f13f968d158d85a105ca09a6fa457768c822ec45f473b6b2f9919cd372500e1987125ad5d27f7f491f8bc389dbea9c77047f28501aefe81

  • SSDEEP

    6144:HK0N5hVsYqtArnEmOP+5VTAkD3ejNTfVYNNymCnkW3qe:HK4DsNtADE6VTAkD3OCNymCkW3

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
      "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2748
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2928
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:1772
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:920
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2176
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2532
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:3068
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:1804
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
        2⤵
          PID:2936

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

        Filesize

        284KB

        MD5

        7ffeb68eb174c10b3f48898548a2f2a0

        SHA1

        6a02857cd6c936fe1566969450996e8d2d6af707

        SHA256

        9f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269

        SHA512

        3a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c

      • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

        Filesize

        1.2MB

        MD5

        81c19480abd4ea36763852ec1ee742d4

        SHA1

        5b9469f27c40c96d6a74de59ed6c4eafcaa1a08a

        SHA256

        bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd

        SHA512

        3b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58

      • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

        Filesize

        284KB

        MD5

        a40d7040911f9360acab97ed2fac1b11

        SHA1

        6a7df4f5e840d0fd7dc65fb9b02690c768b649bd

        SHA256

        4f5467e4377a52dd76cc724ff665ae8c56e4008bc61590c809b23861428d2bbd

        SHA512

        c9afd78f2de5ade601f0e7caa5b788041460a3fb636f7d2560291e37cab5d050fc0b1edfa837e9fed4363724f1aa9cb4b09b3d94b4b38592a7d72540796cd0c5

      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

        Filesize

        1024KB

        MD5

        d10c27f59dfdc972c4de635687df4614

        SHA1

        3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

        SHA256

        71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

        SHA512

        4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{7A56F667-11B5-41B1-B30E-A0703FAFB277}.jpg

        Filesize

        22KB

        MD5

        35e787587cd3fa8ed360036c9fca3df2

        SHA1

        84c76a25c6fe336f6559c033917a4c327279886d

        SHA256

        98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

        SHA512

        aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{CE15F2BF-B9D6-4528-A990-1074749AF156}.jpg

        Filesize

        23KB

        MD5

        fd5fd28e41676618aac733b243ad54db

        SHA1

        b2d69ad6a2e22c30ef1806ac4f990790c3b44763

        SHA256

        a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

        SHA512

        4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VOGNAB2O\mg4_wmp12_30x30_2[1].png

        Filesize

        1KB

        MD5

        2fb401b99e4b8728820a2fc6a80e89bb

        SHA1

        30b7bc0ab429165b797018b85204ccb51cda2689

        SHA256

        1be5955f420df102cc84e1a7cd470ea81ded6e2a4ac13409dcdd24541522837e

        SHA512

        414f4762f26e412d983ee29650b01c6f1ce04f48d114fde21e1fb91efcfd142ae24edc8dee3aba6bf22db41cd75c92e78a83bbbeaff707ef42992ed5119d3692

      • C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg

        Filesize

        32KB

        MD5

        84bba83cfbc0233517407678bb842686

        SHA1

        1c617de788de380d28c52dc733ad580c3745a1c1

        SHA256

        6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

        SHA512

        a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

        Filesize

        203KB

        MD5

        1054794e0d4602da866fc1bd5335fd28

        SHA1

        09fa7fec96bdc99c8d8060e13a5190a9ac47ecb6

        SHA256

        bf17cc35978a2ee4fcfed2ff5e1af2807a08072b477300e77c7d276a52a56ca1

        SHA512

        4038b53e9c9e6656bcba3723e63c4bccf4127323b444c122aaeea05bec18f984f6b87a800c26e0c5f8e07c58134130166665700a3c06bbc0934c239c62d34e03

      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

        Filesize

        1003KB

        MD5

        93b8d4f09716b9bd32dab20ae191ba2f

        SHA1

        ddf7abebaa8cfdf4eb9fa8e2fc18c09994dcf5fd

        SHA256

        3a946732fee7fba82b3d70e72e68c33ecde18e2b01a615f72a4eee33f736c686

        SHA512

        9503690bdf43fd363181f204694cf8ce1f7e2533118912f22e6c2d380048c79572ab0a642f95d9af719201d2aaab026249c10ab6b00e5fcfb94179683e6960ee

      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

        Filesize

        234KB

        MD5

        824a5ec60bffac62cc319f2ed6e76b6d

        SHA1

        f85df9a2cdb4598564a51d4e2890bd23bbb16939

        SHA256

        b3f7bc8acc07ac728477dcce83a1952659f23071f8afd3b14fb3ca6e6f61a67c

        SHA512

        dc56a03d5f3f04afaf8e9a97d0cee5d1272b3925e529745eeaedd90147cd54df205f8bd5f48939d9411eba7cc8bdfdd8a7665707bf7605407fd2939a762907c2

      • \??\c:\program files (x86)\microsoft office\office14\groove.exe

        Filesize

        29.7MB

        MD5

        11c558b05e1b6da7abdff816b351bf7c

        SHA1

        485fcdee3a7cb7a5ddc225dce29ec906c404d120

        SHA256

        848ae59bc24124c76aac9b3cdce456c4649ad0c59f3c7689130a5b02bdca100c

        SHA512

        a43e1fe11c21c0f952b5748a5e4cfed413b9f5d8f1be422a71b14f66b4cc4b41f02ea69329438aba53ae8e729ad6ae766ae08af24ccf27f8633e7fb36450936a

      • \??\c:\windows\SysWOW64\svchost.exe

        Filesize

        164KB

        MD5

        234f435cd3088121b6c64219ab325ec0

        SHA1

        65617b0ae173b729579ffa0275d207529a38c6e4

        SHA256

        915778d156c2cc567f7f07d102406bc92911c6b5cb7d69366c3e783e12628ad2

        SHA512

        02758a65dae89bf3acf1f5cbe2ab9db4f2afa02fc51e1910de0002c2506927c95bcc24f64778a3f78e25d0cdcac2f73afa0f7589f080448119c7e60f6a60e7db

      • memory/1108-135-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

        Filesize

        64KB

      • memory/1108-119-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

        Filesize

        64KB

      • memory/1108-158-0x0000000002370000-0x0000000002378000-memory.dmp

        Filesize

        32KB

      • memory/1108-164-0x0000000003F10000-0x0000000003F11000-memory.dmp

        Filesize

        4KB

      • memory/1108-170-0x0000000002370000-0x0000000002378000-memory.dmp

        Filesize

        32KB

      • memory/1108-172-0x0000000002320000-0x0000000002321000-memory.dmp

        Filesize

        4KB

      • memory/1108-181-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

        Filesize

        32KB

      • memory/1772-94-0x0000000000400000-0x0000000000479000-memory.dmp

        Filesize

        484KB

      • memory/2532-114-0x000000002E000000-0x000000002E086000-memory.dmp

        Filesize

        536KB

      • memory/2732-0-0x0000000001000000-0x000000000108B000-memory.dmp

        Filesize

        556KB

      • memory/2732-215-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

      • memory/2732-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

        Filesize

        4KB

      • memory/2928-100-0x0000000010000000-0x0000000010070000-memory.dmp

        Filesize

        448KB

      • memory/2928-83-0x0000000010000000-0x0000000010070000-memory.dmp

        Filesize

        448KB