Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 19:08
Static task
static1
Behavioral task
behavioral1
Sample
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe
-
Size
282KB
-
MD5
7555fa82400eef9e9af4a73f8f65d6cc
-
SHA1
23e0decff1376cbb4b3f405b5d225001db2bdd7f
-
SHA256
4abd967bd77a75611dd4ae57456f0d8a40cab225c63c41501878beb0d85303a1
-
SHA512
3260633c459d615246606089abbac11ac2bcc0c91b8d220a8ac3b87e0aa551df6847c871c5e8580654b9d0abfe68183b2e3a6b3af1a86c160477c5ec264c8406
-
SSDEEP
6144:crPrHEYF57R69Um+nEY0kqk4PXzCPamiHtRNCI6X:2HXF9R6ym+skK07mKX
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
277E.tmppid process 1872 277E.tmp -
Loads dropped DLL 2 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exepid process 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2436-1-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2436-2-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2436-11-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1664-13-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1664-14-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2436-79-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1540-81-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/1540-82-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2436-84-0x0000000000400000-0x0000000000469000-memory.dmp upx behavioral1/memory/2436-198-0x0000000000400000-0x000000000046C000-memory.dmp upx behavioral1/memory/2436-201-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8C5.exe = "C:\\Program Files (x86)\\LP\\E43F\\8C5.exe" 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\LP\E43F\8C5.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\E43F\277E.tmp 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe File created C:\Program Files (x86)\LP\E43F\8C5.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe277E.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 277E.tmp -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exepid process 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 3012 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
msiexec.exeexplorer.exedescription pid process Token: SeRestorePrivilege 1272 msiexec.exe Token: SeTakeOwnershipPrivilege 1272 msiexec.exe Token: SeSecurityPrivilege 1272 msiexec.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe Token: SeShutdownPrivilege 3012 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe 3012 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exedescription pid process target process PID 2436 wrote to memory of 1664 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1664 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1664 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1664 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1540 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1540 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1540 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1540 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe PID 2436 wrote to memory of 1872 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 277E.tmp PID 2436 wrote to memory of 1872 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 277E.tmp PID 2436 wrote to memory of 1872 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 277E.tmp PID 2436 wrote to memory of 1872 2436 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe 277E.tmp -
System policy modification 1 TTPs 2 IoCs
Processes:
7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\FFAED\7E4E4.exe%C:\Users\Admin\AppData\Roaming\FFAED2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\7555fa82400eef9e9af4a73f8f65d6cc_JaffaCakes118.exe startC:\Program Files (x86)\ED463\lvvm.exe%C:\Program Files (x86)\ED4632⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\LP\E43F\277E.tmp"C:\Program Files (x86)\LP\E43F\277E.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\FFAED\D463.FAEFilesize
600B
MD51d43f7e892ef1dfa989fe315d2caf675
SHA13d107a6d73e641c81997767bc3d52c0abf150781
SHA256a8fd968275a3a0b8cc512b57bc01ddda55213262de9e8e2df2a8f54a56da9dbd
SHA512e1b60dbaca13afa8867e2f50c267e29f277274151215c1e2a5732457eedbf159c8f07a71201bae1e267772cb8a0a7ea8ddce87dab0900fc797df1398ce2f5295
-
C:\Users\Admin\AppData\Roaming\FFAED\D463.FAEFilesize
1KB
MD53e418c06ee7c81bd66be1156125456d9
SHA1806f5c30197ae3b9b6f1ace1f749ad07ce7eb172
SHA2568cb0c8db570c1a2b860ce3fc49e85da0a506c8cdcf66376e164a27b229356cac
SHA512bc81ae9c83e8ef0c6228d2bf8a86220d3c6f477e6f627230f0cc6399a04aa9e04ef2d49f6671f3ed88c1b31e8be1b5ff149b4b36e915731baed415ec0d51c45a
-
C:\Users\Admin\AppData\Roaming\FFAED\D463.FAEFilesize
996B
MD5e1c59187d0f4ac8310c693a3fb4421e1
SHA1f761fadf8013998f2e4278cf73e9b9a09588bdd2
SHA2563322a6c5343b9128cee8498119ad86661985b33c9bff920ce3397e05879a249e
SHA512491166ae21d2b60d9734ce20bd36a9cac7b1e2874040d855279b1d6513dcd7e16b6da9ceea9c29357c83c26d44fa33340f4102d9a5734e9bc91f8adbf85f17e6
-
\Program Files (x86)\LP\E43F\277E.tmpFilesize
99KB
MD59d83b6d4629b9d0e96bbdb171b0dc5db
SHA1e9bed14c44fe554e0e8385096bbacca494da30b1
SHA256d3a6060ff059a7724a483d82025a9231a61143839b633a6d3842a58ccb5a7d7d
SHA512301187bdcab5ca9942b2c7b7114e37e53e58b5661eef50c389622950d7691993a29f5a825132cf499ca73cdb6637d3f58afdc024cb04fac2b8e01f752209572c
-
memory/1540-81-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1540-82-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1540-83-0x0000000000470000-0x00000000004B7000-memory.dmpFilesize
284KB
-
memory/1664-14-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/1664-15-0x0000000002580000-0x00000000025C7000-memory.dmpFilesize
284KB
-
memory/1664-13-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1872-197-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2436-84-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2436-1-0x0000000000400000-0x0000000000469000-memory.dmpFilesize
420KB
-
memory/2436-11-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2436-2-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2436-79-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2436-198-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2436-201-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB