Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 02:40

General

  • Target

    724a832967b6f8fcd21bc43a1927e969_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    724a832967b6f8fcd21bc43a1927e969

  • SHA1

    6c985edae5ddb648428ec09a13e4070e10e9e049

  • SHA256

    ced3a5d2fe45bdf9ee7a95ad64ca5034e5a23bbca315889c7f2041c4e0a973fc

  • SHA512

    f0f851efc64c83a9dc52d454d2fe6bc881dee7c544b149903d9429fc52d270dc91a4605d0489fe482544261861ecf3c6854e9ed9cdf10d0945606a7501c2f9e2

  • SSDEEP

    24576:oGiT9MV7CCLSvhWZtGRbCr7EpmACmacCZ0ClEtgcR6i1G3SZrbAQ39xKRsyVDgNd:GT9MvOvQO+r7nAGZ0iYX6nSVFXByVgNd

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\724a832967b6f8fcd21bc43a1927e969_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\724a832967b6f8fcd21bc43a1927e969_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer_.exe
      "C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer_.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe
        "C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsu7957.tmp\Base64.dll

    Filesize

    456KB

    MD5

    9459a28dbb2752d59eaa8fbb5cf8c982

    SHA1

    4ad7eb230cf6d05df967037225fa19dd385bf7cb

    SHA256

    4688dcd01db816485a770cb8fc047fef9a408f3dbec5a2c83752fee115ce6963

    SHA512

    7dff6414f4215aa4c7a168158b4ac5dd422c7dd35c6af58bce658c6bf9bf5a3545a5ee0db5f5d47a17c7ae53cb54551b98b492137e36c73e684b2041d775cd97

  • C:\Users\Admin\AppData\Local\Temp\nsu7957.tmp\GetVersion.dll

    Filesize

    5KB

    MD5

    c6910d6e78c2e5f9d57d0bc6d8f6b736

    SHA1

    a395099062298b3f3c015359b227ca02a72c6e2c

    SHA256

    b2c32af2b0d75dfd08ae4e1ad7c5897957240b32bf7a16855d6a46512d272b9b

    SHA512

    4cd45b887ce5b7fecfd863cae83817465d7378cc9f5b50f5762d5f209c55a37257d94e91dea4c91c66f2c5bf22cdc1f5545eeef52a090f05cceeedf59bbd2a10

  • C:\Users\Admin\AppData\Local\Temp\nsu7957.tmp\System.dll

    Filesize

    10KB

    MD5

    0b96e50e5fd9b241435cfec46600b5a7

    SHA1

    1f79688c6bdd78b4e1812b110fd16d27c59b32d5

    SHA256

    10841d8d0a0fa457a62be63af7e30e72ffaec265470dbe16c0d61cc5b111d1e6

    SHA512

    01a5884ce81a622f81da23c4075aef4cbe68d18471908bb6082ad98bfd002c8a6c2b8069d250df0320cde22ad76eedc14a5d9369b370c2012d58575720da48b7

  • C:\Users\Admin\temp\TeamViewer\Version4\SAS.exe

    Filesize

    53KB

    MD5

    bf3bcd752bdabfa1f1e84b7462738103

    SHA1

    34cb8ea7d47467cace271e03b7869f37b0ecb30a

    SHA256

    90fe790e189c384f2ab82958057f91fdf40888c2ed3c0471bd7b85d5b36c7810

    SHA512

    6d5362c4d354319845f4522e0d1132c32a6779efc4c013c8c7bd489fddf39cbb5dfb72b135487b660d156d7774e5be4acc03c3fcecdb6dabcfad12630a3f5955

  • C:\Users\Admin\temp\TeamViewer\Version4\TV.dll

    Filesize

    64KB

    MD5

    4b030749eef3498b8efbaf2877a59fb5

    SHA1

    70d65a57582fa7145bcf7198e0751e5a3bfffcc5

    SHA256

    ee4f367a4074fa13d15eb17ae9e140d38b249959a29d6e4146c0577df2fed01b

    SHA512

    9a265c06a377bbcaba9b6b0e2752657701fd1fb82613d7ba520e4739108951d0059e1c8d7533a3e94928e5971a9d2fc575d3adc67f4ac768f844c63a5e11e8c7

  • C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer.exe

    Filesize

    3.4MB

    MD5

    0337483f5fd42db82837d6927eb522e9

    SHA1

    9011557916c89e5a0571a95646a9374ad7c174fc

    SHA256

    5ea676632a55b195ad1a6a84cd6af24404482ef6357f73d77c76eb43f57e3845

    SHA512

    3477299ddf80b0a81d6236e4f111c236ee4c6fee4c9982d534be716d4794d86287582b12393ba9de0a67730642190706ee0f96cf11a67efedd88b7b4991d12be

  • C:\Users\Admin\temp\TeamViewer\Version4\TeamViewer_.exe

    Filesize

    1.4MB

    MD5

    76d48872ed7b15e077120498d3ac3f07

    SHA1

    523a7528e1e2e58cc224aa974456969f8f91a820

    SHA256

    5cd3660829c4b3d8f7fafdb93c8b82c11198f6910662c09c92f65ac6035df7d1

    SHA512

    c3365c86aa5f5a171f2289eb3ee1f00368451553ccda9052e229cff35c94859c5dacd5d88a36d994c52c4b73502d7654b5dc0994c75437b1569d472fb229b8b3

  • memory/460-10-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/460-0-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1200-11-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1200-60-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1200-44-0x0000000010000000-0x00000000100A0000-memory.dmp

    Filesize

    640KB

  • memory/5028-66-0x0000000003400000-0x0000000003401000-memory.dmp

    Filesize

    4KB

  • memory/5028-67-0x0000000003400000-0x0000000003401000-memory.dmp

    Filesize

    4KB