Analysis

  • max time kernel
    138s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 03:00

General

  • Target

    88bcade2e5682e151ed994dde61b079e_JaffaCakes118.exe

  • Size

    134KB

  • MD5

    88bcade2e5682e151ed994dde61b079e

  • SHA1

    8a16ff02ecbc366342a377a26f1d1d0497b1788e

  • SHA256

    35d99939ea17bd688e5b40d4b718b2f795a0677d676c95496c1f3009b13c366a

  • SHA512

    353f2504f061bcca52d66110dd95afde2307c637e7d9a37664ba010c5d50e7984f4616572337caff00f411928e84be52c31283dd679219d0a292d1d41c39f94c

  • SSDEEP

    3072:/jGKwgTLTCKFYnqqeVF8VUodWGTj3RvFWb0J8tgcnmujq2r:rqKF2qDVGVUodpTLhFyEtUfr

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88bcade2e5682e151ed994dde61b079e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\88bcade2e5682e151ed994dde61b079e_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1896
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:3576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

    Filesize

    527KB

    MD5

    c2864b58d3a7d67f33a781c611ec9d77

    SHA1

    c4b110ef1d9121e6269eddc4e307a7c30030ca5b

    SHA256

    3b7320b0e7002aefc64630b8cb21b9e70126badd67763f62f8332e86e738cd0f

    SHA512

    802e6a7e533b8158099b8e6a2b586d93ad4c3e4c33838af3fac7b0405621ba6598b7c5e5878c41a5fdd63001b6e5d6094edba5c9f544a88f41278fe113eb71db

  • C:\Windows\SysWOW64\msiexec.vir

    Filesize

    162KB

    MD5

    df5acc492a162888e6a01a1a7bfa2cf9

    SHA1

    4e774dcf1616208943a22e13809cd7405b890902

    SHA256

    9678ee280c16c7eba760d1b30b0b4cedba9409bef07d643ba36b52d9ffc3d7b1

    SHA512

    aad19ed8c979addc7dda207fa6b92c26a5c59cab976b6ab55ea2e9e3d71e5e58358aedce22163b40a706430a594a4d24ea62265c825510fc9c66d378fe859cc3

  • C:\Windows\servicing\TrustedInstaller.exe

    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

  • memory/1896-0-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/1896-19-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB