Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 01:09

General

  • Target

    767db863164ec054813a61fc1c469b60_JaffaCakes118.exe

  • Size

    25.9MB

  • MD5

    767db863164ec054813a61fc1c469b60

  • SHA1

    cf1f5541ea6fcd245d725b89e4e2309b895ab4f7

  • SHA256

    b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31

  • SHA512

    c723996862f4368555af5cd3435ffc7207e9b7f945369ff543b1de5e527a26bed0cd18389ca64bb95085426b9d7f7d2753b8995de2bcfd02b882ac3f4a4f16ed

  • SSDEEP

    786432:zfzDs7aZXBWhs6cets5XOjehnRLy3f3xfDcgH:zffYavetwmehntyJff

Malware Config

Signatures

  • Panda Stealer payload 2 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

  • Shurk Stealer payload 2 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\ProgramData\start.exe
      "C:\ProgramData\start.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F4CA.tmp\F4CB.tmp\F4CC.bat C:\ProgramData\start.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\ProgramData\Changer.exe
          Changer.exe -pskxLL0100xKKsjXJ19289 -dc:/ProgramData
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\ProgramData\allSkinsData.exe
            "C:\ProgramData\allSkinsData.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2684
          • C:\ProgramData\InventoryChangerLoader.exe
            "C:\ProgramData\InventoryChangerLoader.exe"
            5⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Changer.exe

    Filesize

    25.6MB

    MD5

    432498138f372d6f58fb1ce3838eaab9

    SHA1

    74e5cd939cf140d9ed37ee901d68b2a51e49aa33

    SHA256

    47d02c42b8460c5c7031a32add3cb69ac6950f8f8f613e93a2e956721f42bdd7

    SHA512

    98fbcf36196d41289579aa6383593d85080bfd2e3095c75dcd645aa59a911e3a6ac3f638fa9e0b5649b2d16ed9db29e0f2c3bf9c640838792e63c4ffb14372a0

  • C:\ProgramData\InventoryChangerLoader.exe

    Filesize

    14.2MB

    MD5

    3dd6cc2610355bbd373e371bf73a00e8

    SHA1

    2fbaaa9fbbcffe14ce59ff76d3dc362bfb8b3acf

    SHA256

    0b1673433abfcb1257ff9db3c6f4d84cd3637ba9351fdabd889209798da2b228

    SHA512

    eb44ac42d55fddfc1a93f82c8cbf577c7fdef65b2938e0cbcf58630c92cb7b073916906d096970a3a3271a0fcf20fd32c3c9c10788f12820d79a2d28abeafba6

  • C:\Users\Admin\AppData\Local\Temp\Cab19BA.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\F4CA.tmp\F4CB.tmp\F4CC.bat

    Filesize

    74B

    MD5

    ad1338af912f600aacea8967b518c5cf

    SHA1

    e1a44e009c1f925bce69d423949d1e27670b21f2

    SHA256

    3407436e93523047a207cc6ae8d4eb17cc578b7687e41601b0347e7e42d3ba26

    SHA512

    68147c07bef9aa52bd88375e96cb07984f851cfd31a08e85eb6fa818bc10a6d38c392b4afe02ec25317f5d2d54873ded12dff6a6faf0a24b769db736e3190875

  • C:\Users\Admin\AppData\Local\Temp\Tar1A0B.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \ProgramData\allSkinsData.exe

    Filesize

    1.4MB

    MD5

    9e964d0100dde88172f64ecef8e49299

    SHA1

    e65910e0c60e1c728f59a2004ba2f0d44eb56da9

    SHA256

    22fc083a0dc3b0b7f2275a8097e3a7c60fa6ebdd00ad80a90dcfc03f90e50644

    SHA512

    63c56cdec6bfe0f02bc495cf4636cbb5524affc0af7f3b7802cd90aa59d8eba57eaeb55c6fe0f312e4d61d069c9f3ff0207dca14a60f71dad0f6874464868b49

  • \ProgramData\start.exe

    Filesize

    88KB

    MD5

    9590a44fb19cef257378efe5697e8b0b

    SHA1

    7c6bec1a118adcb4fc2dad41512b94b2577a5a48

    SHA256

    1270bb6be5ccb0754ac42b7362e93de56e10cae6e6ddaa60a77faf63696c5853

    SHA512

    421f80702314165eb1e68dc0698533b9f6b91bdaa2ea8488f6812e84731599d4cb8b80469c962681ea58d20dd46ef34e7efbb1f7badfb0bd3e68cd876d3c2247

  • memory/1532-58-0x0000000002720000-0x000000000275A000-memory.dmp

    Filesize

    232KB

  • memory/1532-56-0x0000000000880000-0x000000000088A000-memory.dmp

    Filesize

    40KB

  • memory/1532-52-0x000000001EB50000-0x000000001F23E000-memory.dmp

    Filesize

    6.9MB

  • memory/1532-54-0x0000000000990000-0x00000000009BE000-memory.dmp

    Filesize

    184KB

  • memory/1532-53-0x0000000004060000-0x00000000040B0000-memory.dmp

    Filesize

    320KB

  • memory/1532-55-0x0000000000870000-0x0000000000880000-memory.dmp

    Filesize

    64KB

  • memory/1532-57-0x0000000000880000-0x000000000088A000-memory.dmp

    Filesize

    40KB

  • memory/1532-51-0x000000001E460000-0x000000001EB4A000-memory.dmp

    Filesize

    6.9MB

  • memory/1532-50-0x00000000009C0000-0x000000000260A000-memory.dmp

    Filesize

    28.3MB

  • memory/1532-59-0x000000001DE70000-0x000000001DF20000-memory.dmp

    Filesize

    704KB

  • memory/1532-132-0x0000000000880000-0x000000000088A000-memory.dmp

    Filesize

    40KB

  • memory/2684-87-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2684-86-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

  • memory/2848-48-0x0000000000AE0000-0x0000000000C54000-memory.dmp

    Filesize

    1.5MB

  • memory/2848-49-0x00000000005B0000-0x00000000005CE000-memory.dmp

    Filesize

    120KB