Overview

overview

7

Static

static

3

8738894344...18.exe

windows7-x64

7

8738894344...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/08/2024, 18:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8738894344c3386f626c3041d3fc6b59_JaffaCakes118.exe

  • Size

    399KB

  • MD5

    8738894344c3386f626c3041d3fc6b59

  • SHA1

    7de4c0e64a78b0cb28e2ef11de4d64c5726d8568

  • SHA256

    93ecbe93753de092133b275826c68c53d3f42ea0ef963011cde6b94abb926fef

  • SHA512

    73659f1361f0fa3fd6128cdfa559a273ce1ff303cc792a7e8613dc2b7cd683c947a01ca821b07437309594a34adffd1395271cdddaa44ad14ab7497b6d77d8f2

  • SSDEEP

    6144:M1zU9A6TyE3ktD2OILj6c1EpQ+mpGS4nb3donAsT6n:M1zdyLbmpQ+AGSqbAq

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3488
      • C:\Users\Admin\AppData\Local\Temp\8738894344c3386f626c3041d3fc6b59_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8738894344c3386f626c3041d3fc6b59_JaffaCakes118.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3112
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a95A8.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Users\Admin\AppData\Local\Temp\8738894344c3386f626c3041d3fc6b59_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\8738894344c3386f626c3041d3fc6b59_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:4588
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5008
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:464
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4508

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
            Filesize

            251KB

            MD5

            2a2e562abe0534f68a66b3dc9984378d

            SHA1

            6b25cf971ba93f972c9e9c4d21f3afbb8ba71c5e

            SHA256

            00dda94f6f41e3a16e3bf696731064d5c8f48f43a1da9d7c203604d529eacfe2

            SHA512

            4f9bec6145e60ab5416138e792b404c9fba2a2d5db20df1c3bb6d1276f501dc980084cc848c59afd84e4573e13ae723cb81ffbd37ab3bbb9cb919e4229f9608f

            Download Submit

          • C:\Program Files\7-Zip\7z.exe
            Filesize

            577KB

            MD5

            f065d8bf06243932f2701c5d8e62f471

            SHA1

            f4c368d5ed70bc26028a00eb7590985f1a08adc7

            SHA256

            5fe44850143aadadc040a84a8e4e6deec00c8861f06754f372c7aa90e2925c0e

            SHA512

            1eb8a827b2500aa7fb1288dd80e7bc4969fb430b58f307b567f0742c0f1536c7162b8591bde017d0de5986fc528c861c14513c46589b15ceb158fc312ba0882a

            Download Submit

          • C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
            Filesize

            643KB

            MD5

            36f84d53200fc76822ef4211fbaed20b

            SHA1

            06616547004b023d9b573d127e7b9c9590b7592c

            SHA256

            31a2d373a9e3d8e1eaa79b7b9dcc8ad8d86bcb3741d99c68c6a8ddc67a00b5f7

            SHA512

            efab63f312e660385c134b53dd549dc30209c12e909632e6d063309bb6d96048fbd7f4be523a6b38a8781c019ace4b176af1c39a3585d510d4736da90cccb750

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$$a95A8.bat
            Filesize

            614B

            MD5

            b184f295d62d161b8d7e7dbc078ceacb

            SHA1

            9f0d0f8966f9a96d97443d0e166f58d12bf82274

            SHA256

            44732b8041f9432e266ba59807af6109d018a5916ed12bc4abf0b7c0a4353b33

            SHA512

            a71f4c9a9db5600cfd6650a121b7c1531effba72e3c0283221b66fb70d7caf4ac10f605d4f1f7ee5202f5b66ed0038e3e11f5657a5fb1117df2007b6e1439631

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\8738894344c3386f626c3041d3fc6b59_JaffaCakes118.exe.exe
            Filesize

            366KB

            MD5

            697762d1a19bc975b53018c62af860ca

            SHA1

            7f9665190166fd8cd7dd87cbe65888cce181e880

            SHA256

            571ec1ab427ce8a83409bbcd99d97781fac413520a42bb4687dce01f5b85c8b9

            SHA512

            322b9ed23f06b56e801700a4cf5f86c9752e2bd329640559ead09abd638118de78bbc94b999075e2ae8e455bdef977f37347d99e87cfed42f2500842b0ae0176

            Download Submit

          • C:\Windows\Logo1_.exe
            Filesize

            33KB

            MD5

            0c4fffce6aea3a78f2f91f0210054147

            SHA1

            7431ef60aeaf21a601fc22e0605c583e1b1ead69

            SHA256

            542d5d5e03ae9271883efa6fc0b1a79a99c4f9b6ee7d414db5045e134537b776

            SHA512

            905ed2a099daa8c8d2b3da6e5b9bb63ddf30081266a72c77f99c6b4fc1669684d479b30c5a31842e6daa6c5992ac00a12fc7bf562639805e34a0c2e1afbb95dc

            Download Submit

          • F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\_desktop.ini
            Filesize

            9B

            MD5

            7437d5296c0639dac402c56515b90619

            SHA1

            5b60f57442354dbfb4a5e6b3183a8eacbfeb6c19

            SHA256

            a0c3017b092becae18571d22cd196109a5df6d4c3dee7b8c3f6baeb50a9e432a

            SHA512

            747b6ee7f9161203144b94d7d135fc3ff23238af9a4cf3c0d40f615bd5c4bff5ef1f04c02d60b950fdd8ffb228766a8710d9c3de806c08a445b9b294152ab598

            Download Submit

          • memory/1320-11-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/1320-0-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4308-19-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4308-3553-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4308-8-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4308-8706-0x0000000000400000-0x000000000043D000-memory.dmp

            Filesize

            244KB

            Download

          • memory/4588-15-0x0000000000400000-0x0000000000461000-memory.dmp

            Filesize

            388KB

            Download