f5613c6137484b90027d1a9384a4a8065dd465129a17ce79f4bec5bd53ff1284

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe
Size

870KB
MD5

76431871bbbcbf9c2b5f319a0d206e5a
SHA1

d044404ffa4ae7c52b4b22d9a71e8dd065ed3fd3
SHA256

f5613c6137484b90027d1a9384a4a8065dd465129a17ce79f4bec5bd53ff1284
SHA512

7a9114057941d9d84443661caee365b13e3bb1dd34098cf9ed0d7d145b2c1eda472413541f01441d67379306f454ed907d089bedce6a6450837c975d508448f6
SSDEEP

12288:HYmiHHdBLtjUjweAxP54f+4r0RUKzKQfiINLAemYyBs02fUYQ2Vm88W7IOcCfQd2:HK5BUuP5A+447fdNESAs0Gn8WRfYd

Score

9^/10

credential_access discovery persistence spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4712-2-0x0000000000E00000-0x000000000103D000-memory.dmp	upx
behavioral2/memory/4712-3-0x0000000000E00000-0x0000000001092000-memory.dmp	upx
behavioral2/memory/4712-5-0x0000000000E00000-0x000000000103D000-memory.dmp	upx
behavioral2/memory/4712-6-0x0000000000E00000-0x0000000001092000-memory.dmp	upx
behavioral2/memory/4712-15-0x0000000000E00000-0x0000000001092000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IntelAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe"	76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76431871bbbcbf9c2b5f319a0d206e5a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4712-1-0x0000000002F10000-0x0000000002FDE000-memory.dmp

Filesize
824KB

Download
memory/4712-0-0x0000000002E30000-0x0000000002F0B000-memory.dmp

Filesize
876KB

Download
memory/4712-2-0x0000000000E00000-0x000000000103D000-memory.dmp

Filesize
2.2MB

Download
memory/4712-3-0x0000000000E00000-0x0000000001092000-memory.dmp

Filesize
2.6MB

Download
memory/4712-5-0x0000000000E00000-0x000000000103D000-memory.dmp

Filesize
2.2MB

Download
memory/4712-6-0x0000000000E00000-0x0000000001092000-memory.dmp

Filesize
2.6MB

Download
memory/4712-15-0x0000000000E00000-0x0000000001092000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads