Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27-07-2024 01:09
General
-
Target
767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
-
Size
25.9MB
-
MD5
767db863164ec054813a61fc1c469b60
-
SHA1
cf1f5541ea6fcd245d725b89e4e2309b895ab4f7
-
SHA256
b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31
-
SHA512
c723996862f4368555af5cd3435ffc7207e9b7f945369ff543b1de5e527a26bed0cd18389ca64bb95085426b9d7f7d2753b8995de2bcfd02b882ac3f4a4f16ed
-
SSDEEP
786432:zfzDs7aZXBWhs6cets5XOjehnRLy3f3xfDcgH:zffYavetwmehntyJff
Malware Config
Signatures
-
Panda Stealer payload 2 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 2 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\start.exe"C:\ProgramData\start.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7D3B.tmp\7D3C.tmp\7D3D.bat C:\ProgramData\start.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Changer.exeChanger.exe -pskxLL0100xKKsjXJ19289 -dc:/ProgramData4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\allSkinsData.exe"C:\ProgramData\allSkinsData.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\InventoryChangerLoader.exe"C:\ProgramData\InventoryChangerLoader.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25.6MB
MD5432498138f372d6f58fb1ce3838eaab9
SHA174e5cd939cf140d9ed37ee901d68b2a51e49aa33
SHA25647d02c42b8460c5c7031a32add3cb69ac6950f8f8f613e93a2e956721f42bdd7
SHA51298fbcf36196d41289579aa6383593d85080bfd2e3095c75dcd645aa59a911e3a6ac3f638fa9e0b5649b2d16ed9db29e0f2c3bf9c640838792e63c4ffb14372a0
-
Filesize
14.2MB
MD53dd6cc2610355bbd373e371bf73a00e8
SHA12fbaaa9fbbcffe14ce59ff76d3dc362bfb8b3acf
SHA2560b1673433abfcb1257ff9db3c6f4d84cd3637ba9351fdabd889209798da2b228
SHA512eb44ac42d55fddfc1a93f82c8cbf577c7fdef65b2938e0cbcf58630c92cb7b073916906d096970a3a3271a0fcf20fd32c3c9c10788f12820d79a2d28abeafba6
-
Filesize
1.4MB
MD59e964d0100dde88172f64ecef8e49299
SHA1e65910e0c60e1c728f59a2004ba2f0d44eb56da9
SHA25622fc083a0dc3b0b7f2275a8097e3a7c60fa6ebdd00ad80a90dcfc03f90e50644
SHA51263c56cdec6bfe0f02bc495cf4636cbb5524affc0af7f3b7802cd90aa59d8eba57eaeb55c6fe0f312e4d61d069c9f3ff0207dca14a60f71dad0f6874464868b49
-
Filesize
88KB
MD59590a44fb19cef257378efe5697e8b0b
SHA17c6bec1a118adcb4fc2dad41512b94b2577a5a48
SHA2561270bb6be5ccb0754ac42b7362e93de56e10cae6e6ddaa60a77faf63696c5853
SHA512421f80702314165eb1e68dc0698533b9f6b91bdaa2ea8488f6812e84731599d4cb8b80469c962681ea58d20dd46ef34e7efbb1f7badfb0bd3e68cd876d3c2247
-
Filesize
74B
MD5ad1338af912f600aacea8967b518c5cf
SHA1e1a44e009c1f925bce69d423949d1e27670b21f2
SHA2563407436e93523047a207cc6ae8d4eb17cc578b7687e41601b0347e7e42d3ba26
SHA51268147c07bef9aa52bd88375e96cb07984f851cfd31a08e85eb6fa818bc10a6d38c392b4afe02ec25317f5d2d54873ded12dff6a6faf0a24b769db736e3190875
-
Filesize
704KB
-
Filesize
64KB
-
Filesize
224KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
184KB
-
Filesize
320KB
-
Filesize
28.3MB
-
Filesize
232KB
-
Filesize
744KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
1.5MB
-
Filesize
120KB