Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 21:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe
-
Size
351KB
-
MD5
715270ff57f1719b921e5d21f1d6a1bf
-
SHA1
5b221059536a6b4e865b679f83208fd5936438ee
-
SHA256
af6d8eab48b6ca9eed0f8f8f1338f4f587c3c82ba808b1006394500ecd1867d0
-
SHA512
3249c36ace824aa30391448adacde96ce03b82b91f98e4d04a464959fd2db4693e45263d2465e29ca2aeed4714cf0ae895015f124b3c27b1d6d061cc5ff9a5d7
-
SSDEEP
6144:wPpE/wGLKeZj/D6or5FgWbwtb5a4IrRWcdvuUDRBz6zBqr9shdqzkWAPz634UAha:wPpNKj7OvVIrRWcFBRBUqSozxS634j3K
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2240 timer2tray.exe 2792 timer2tray.exe 2868 eNUC0EF.exe -
Loads dropped DLL 5 IoCs
pid Process 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 2240 timer2tray.exe 2792 timer2tray.exe 2792 timer2tray.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2092-3-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-13-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-12-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-11-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-10-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-9-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-8-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-6-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2092-19-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2792-45-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2792-39-0x0000000000400000-0x000000000048D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\8E638A6D01AD0E10 = "C:\\timer2tray\\timer2tray.exe /q" eNUC0EF.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2172 set thread context of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2240 set thread context of 2792 2240 timer2tray.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timer2tray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timer2tray.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eNUC0EF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PhishingFilter eNUC0EF.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" eNUC0EF.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" eNUC0EF.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery eNUC0EF.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" eNUC0EF.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 2792 timer2tray.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe 2868 eNUC0EF.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe Token: SeDebugPrivilege 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe Token: SeDebugPrivilege 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe Token: SeDebugPrivilege 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe Token: SeDebugPrivilege 2792 timer2tray.exe Token: SeDebugPrivilege 2792 timer2tray.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe Token: SeDebugPrivilege 2868 eNUC0EF.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 2240 timer2tray.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2172 wrote to memory of 2092 2172 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 30 PID 2092 wrote to memory of 2240 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 31 PID 2092 wrote to memory of 2240 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 31 PID 2092 wrote to memory of 2240 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 31 PID 2092 wrote to memory of 2240 2092 715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe 31 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2240 wrote to memory of 2792 2240 timer2tray.exe 32 PID 2792 wrote to memory of 2868 2792 timer2tray.exe 33 PID 2792 wrote to memory of 2868 2792 timer2tray.exe 33 PID 2792 wrote to memory of 2868 2792 timer2tray.exe 33 PID 2792 wrote to memory of 2868 2792 timer2tray.exe 33 PID 2792 wrote to memory of 2868 2792 timer2tray.exe 33 PID 2792 wrote to memory of 2868 2792 timer2tray.exe 33 PID 2868 wrote to memory of 2092 2868 eNUC0EF.exe 30 PID 2868 wrote to memory of 2092 2868 eNUC0EF.exe 30 PID 2868 wrote to memory of 2092 2868 eNUC0EF.exe 30 PID 2868 wrote to memory of 2092 2868 eNUC0EF.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\715270ff57f1719b921e5d21f1d6a1bf_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\timer2tray\timer2tray.exe"C:\timer2tray\timer2tray.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\timer2tray\timer2tray.exeC:\timer2tray\timer2tray.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\eNUC0EF.exe"C:\Users\Admin\AppData\Local\Temp\eNUC0EF.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be
-
Filesize
188KB
MD5c124f4073045662cafb476a1eb17b5a2
SHA174f0bd2441241aaeab2e3d83e2cc3cf9085bceb8
SHA2566c17843ded263fe5e8931d31eea7bb24199d2a321c58cdea9fda9eb362d75d02
SHA512c3572ed678301b90fdb23144aac4b7e6ae61ab24d33209008581f13f213cd6441917a4c9f0adbd08cf963a3c9e9233d76950b3ad23e1e28b99cbc8d384630591
-
Filesize
351KB
MD5715270ff57f1719b921e5d21f1d6a1bf
SHA15b221059536a6b4e865b679f83208fd5936438ee
SHA256af6d8eab48b6ca9eed0f8f8f1338f4f587c3c82ba808b1006394500ecd1867d0
SHA5123249c36ace824aa30391448adacde96ce03b82b91f98e4d04a464959fd2db4693e45263d2465e29ca2aeed4714cf0ae895015f124b3c27b1d6d061cc5ff9a5d7