ce6d01a5a746c4e5fa1a4a54ecb6cc135642b55c5e4a003868ce2f092763000f

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
Size

469KB
MD5

892892d401dfe53ea4aebb4eb000977f
SHA1

81b7bfd26e21be0377ad3a78003e39755b08ac0c
SHA256

ce6d01a5a746c4e5fa1a4a54ecb6cc135642b55c5e4a003868ce2f092763000f
SHA512

48f35cc0d4f7932c34120e6940b5d064a55156c828f91cf5fa215e3d00e5f35013614063a3c9ea4696a2f0ede96606347ac114a593e7314f79ce651afad75d14
SSDEEP

6144:YWvoh/o704sg+1eG2Wt8hHs8zuWkWQ1+6CkejEanQgteXAHD6DLnMd0QGpoK2EhD:hwh/k8eGJMFzuWr4YL0zog5

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2852	axaa.exe
1220	axaa.exe

Loads dropped DLL 3 IoCs

pid	Process
1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
2852	axaa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\axaa.exe = "C:\\Users\\Admin\\AppData\\Roaming\\axaa.exe"	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2852 set thread context of 1220	2852	axaa.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axaa.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	axaa.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	axaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	axaa.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
Token: SeDebugPrivilege	2852	axaa.exe
Token: 33	1280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1280	AUDIODG.EXE
Token: 33	1280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1280	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
1220	axaa.exe
1220	axaa.exe
1220	axaa.exe
1220	axaa.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1780	2520	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	30
PID 1780 wrote to memory of 2852	1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	31
PID 1780 wrote to memory of 2852	1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	31
PID 1780 wrote to memory of 2852	1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	31
PID 1780 wrote to memory of 2852	1780	892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe	31
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32
PID 2852 wrote to memory of 1220	2852	axaa.exe	32

C:\Users\Admin\AppData\Local\Temp\892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\892892d401dfe53ea4aebb4eb000977f_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Roaming\axaa.exe
    C:\Users\Admin\AppData\Roaming\axaa.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Roaming\axaa.exe
      C:\Users\Admin\AppData\Roaming\axaa.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7V06J7Q\dnserrordiagoff[1]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7V06J7Q\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wim.txt

Filesize
86B

MD5
5e907bfbf1a95e12146da0435e349702

SHA1
c27794aa61ee666890ee438a26029302983afb09

SHA256
cd013a0f8af2271b70cc1785847a306f7e870f4812460f21ac706d3e558f374e

SHA512
49d7277c0fdf6237a5f57c4dca82dff71c2fbb381a008f8d8547bd566716f40c09007e1a002118a1684eaf2ef96d49b0619f013b4b70af317a81374bec5dc4a8

Download Submit
C:\Users\Admin\AppData\Local\config.bin

Filesize
55B

MD5
632bcdcdaba65a06ede4e9ae34eff8db

SHA1
d6591b9d9c5e54568b0192dd179dbafababc4c52

SHA256
a74ef3fcaae14853d9b9ac754a62a7364d52b50f01b5d800c81a9d72dee1e755

SHA512
0b76d4f89ed6c4987b6a6f6018497f703d0e442a4f77c0967fb066f5014c0642e149c002884783bf1e2a6cbb46f420c30f3e4542a772c0feae7de4573bd483b1

Download Submit
C:\Users\Admin\lolz.txt

Filesize
4B

MD5
2588ee1be117044b9c5ee49cc26d55c4

SHA1
d863e8f7254f1cfbf175d2521e088c74a1b17831

SHA256
e986b5c4c9be09fd79eea7a94c303d460394aa0d45902ac9a373be4096a6b6fb

SHA512
71d84113652906956c04b0471d198d7567acd48801f6a87e4ef9e488d2f13e1b0c5800c61176f0a141bd041548e934ae1d4d4cc0f25966b8c1488337af520856

Download Submit
C:\Users\Admin\uid.txt

Filesize
19B

MD5
e5157a3a87e549228bb06cff31da5347

SHA1
7e329f11ddeb205231e2236c93ae985eeb067776

SHA256
8daa75ed1cf13dda053c10e1fac54c6b77c4bc7d02169974a21a71f867f32dd1

SHA512
f22e77ce8d25cd5fc1d341c1c1ce9ef62f07b89cd23bb8a951e7407477d667cd665c9d6d51459a7d38dfba8e8e7ac45aa4395c8dda3e7ac50a68d6aa60fbe1e1

Download Submit
\Users\Admin\AppData\Roaming\axaa.exe

Filesize
469KB

MD5
892892d401dfe53ea4aebb4eb000977f

SHA1
81b7bfd26e21be0377ad3a78003e39755b08ac0c

SHA256
ce6d01a5a746c4e5fa1a4a54ecb6cc135642b55c5e4a003868ce2f092763000f

SHA512
48f35cc0d4f7932c34120e6940b5d064a55156c828f91cf5fa215e3d00e5f35013614063a3c9ea4696a2f0ede96606347ac114a593e7314f79ce651afad75d14

Download Submit
memory/1780-16-0x0000000004660000-0x00000000056C2000-memory.dmp

Filesize
16.4MB

Download
memory/1780-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1780-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1780-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1780-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2520-85-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-153-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-109-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-151-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-115-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-133-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-117-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-141-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-119-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-139-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-121-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-137-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-131-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2520-135-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-116-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-134-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-132-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-136-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-126-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-138-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-120-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-140-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-118-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-142-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-110-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-152-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-108-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download
memory/2852-154-0x0000000013140000-0x00000000131BB000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads