Analysis
-
max time kernel
142s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe
-
Size
276KB
-
MD5
73acea44fbbe0c1fc2e5590e377df9c6
-
SHA1
43bd62fe3189f5694156ca93fcf8bb10f0148f54
-
SHA256
bcf21b35c9471c18119fe024c10025e24f7ae762dec72d9fe752975f19e957fd
-
SHA512
b8b58b4d9f8033ce63ef45d0e94e0849e41c7852a0ae2c2131b1a37370dc70c63dd4db4e2e3b3c5ef21da08e5c4dd185df488bd34e42170278a8c37f237bfd2e
-
SSDEEP
6144:NX4i4Zs/ON7CJVFJRwAGRtS2wWAgZzc0kq/pe9Ijm:NjWZE7JRotSC120cM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\0F349\\4AED3.exe" 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
Processes:
2630.tmppid process 4032 2630.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3444-1-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/3444-2-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/764-8-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/764-9-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/764-15-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/3444-51-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/972-107-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/3444-109-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/3444-181-0x0000000000400000-0x00000000004A8000-memory.dmp upx behavioral2/memory/3444-184-0x0000000000400000-0x00000000004A8000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
Processes:
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmp 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe2630.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2630.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exedescription pid process target process PID 3444 wrote to memory of 764 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe PID 3444 wrote to memory of 764 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe PID 3444 wrote to memory of 764 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe PID 3444 wrote to memory of 972 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe PID 3444 wrote to memory of 972 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe PID 3444 wrote to memory of 972 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe PID 3444 wrote to memory of 4032 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 2630.tmp PID 3444 wrote to memory of 4032 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 2630.tmp PID 3444 wrote to memory of 4032 3444 73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe 2630.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe startC:\Program Files (x86)\Internet Explorer\D3A0\858.exe%C:\Program Files (x86)\Internet Explorer\D3A02⤵
-
C:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\73acea44fbbe0c1fc2e5590e377df9c6_JaffaCakes118.exe startC:\Program Files (x86)\49423\lvvm.exe%C:\Program Files (x86)\494232⤵
-
C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmp"C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Internet Explorer\D3A0\2630.tmpFilesize
101KB
MD54de57061b637aa8c144f3847f35f2820
SHA121372e9be2f5bc629f7cd87286026945d5ab8656
SHA2563b961e666c2166929e6bab6b7e597c0057c5dc0b0d24eb05c4f838100aeb2c60
SHA5120603603596018348d51400b8176e583c38e3ebf3de03b311930ff5c7b249446d74dd86aa90018f519adf43191a1f9b9192b69540243d2e880d1c8092967c2ab9
-
C:\Users\Admin\AppData\Roaming\0F349\9423.F34Filesize
996B
MD509680c7e048745030aae775be8416208
SHA1c06eaa57a2e55a0a56648f299c7a63f7971415a7
SHA2565930f2ee41348fa89b5491e0565587300df7151d76304086eb4e4698d7ee34e2
SHA512307ebd5dbeea7ee2497c51737d3553588575f7d1cb76812a669c5d82702b29396ce72a5776701af7b59b2f02780ac70c0718f6e695f49b94a5d1213eb42f9840
-
C:\Users\Admin\AppData\Roaming\0F349\9423.F34Filesize
600B
MD5d57e6649f820c3e2c0e854f658de33fb
SHA1a28c23083733643b58c8f7cfed1679b82efe5e16
SHA2567cea727b86f53e5be86720c0483d7d67deba7fdfd45425ef9cd4d0ef4cc7a42d
SHA512d297f1382d03e140b3f2981c5bef25fefff5f3c087fa05a38b24991db0aaad27e08b34e9f051bf8cb33e333b2b6a644ead27882e2ca3790c2725dc14e34384aa
-
memory/764-8-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/764-9-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/764-15-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/972-108-0x0000000000516000-0x000000000053B000-memory.dmpFilesize
148KB
-
memory/972-107-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3444-51-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3444-109-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3444-1-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3444-2-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3444-181-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3444-184-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4032-180-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB