Analysis
-
max time kernel
144s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 13:46
Static task
static1
Behavioral task
behavioral1
Sample
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
721fc9603ce2f698832856691759e8d1
-
SHA1
ab1fefaa0863fc787b4cf8cbe94be559d20586c3
-
SHA256
726c91cce56e7f2984e3df904e902a892699f18061cc6934d14b7998d04e53d2
-
SHA512
03cc0753ea33eb241dcff3bf11833f9a4972be59595f9bdbb77bc3afb05fbdb9b394c9b21a632140f8d4a8e4c38b884ba56750661ecc15e17cfdad00b43016f1
-
SSDEEP
24576:bAHnh+eWsN3skA4RV1Hom2KXMmHavFmN0CldmeK15O9EE8HSpSyD5:2h+ZkldoPK8YabC
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
zxcvbn@123
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/1316-1-0x0000000000140000-0x00000000001C8000-memory.dmp Nirsoft behavioral2/memory/4892-14-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4892-20-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4892-17-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/4892-16-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/2840-22-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2840-26-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2840-24-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/2840-34-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1316-1-0x0000000000140000-0x00000000001C8000-memory.dmp MailPassView behavioral2/memory/4892-14-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4892-20-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4892-17-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/4892-16-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1316-1-0x0000000000140000-0x00000000001C8000-memory.dmp WebBrowserPassView behavioral2/memory/2840-22-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2840-26-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2840-24-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/2840-34-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" RegAsm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 whatismyipaddress.com 20 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exeRegAsm.exedescription pid Process procid_target PID 2548 set thread context of 1316 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 87 PID 1316 set thread context of 4892 1316 RegAsm.exe 92 PID 1316 set thread context of 2840 1316 RegAsm.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exeRegAsm.exevbc.exevbc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exeRegAsm.exepid Process 2840 vbc.exe 2840 vbc.exe 1316 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid Process Token: SeDebugPrivilege 1316 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exepid Process 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exepid Process 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid Process 1316 RegAsm.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
721fc9603ce2f698832856691759e8d1_JaffaCakes118.exeRegAsm.exedescription pid Process procid_target PID 2548 wrote to memory of 1316 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 87 PID 2548 wrote to memory of 1316 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 87 PID 2548 wrote to memory of 1316 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 87 PID 2548 wrote to memory of 1316 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 87 PID 2548 wrote to memory of 1316 2548 721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe 87 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 4892 1316 RegAsm.exe 92 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96 PID 1316 wrote to memory of 2840 1316 RegAsm.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\721fc9603ce2f698832856691759e8d1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4892
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196