Overview

overview

10

Static

static

3

9419ee4ef3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9419ee4ef3337a61b5f7a0a3949d2a8d_JaffaCakes118.exe

  • Size

    6.5MB

  • MD5

    9419ee4ef3337a61b5f7a0a3949d2a8d

  • SHA1

    04988d7cb660cab4ea2d8c01deae8559a8f11532

  • SHA256

    1f74b7fcaec2411cd90a37b98550fc7e37016fe3ce84a169a859588eda4cbc21

  • SHA512

    58a3308f62e73de811bebcafa66bf0d153773ea948044af3312ad1f70e466d2b1ba00cce29437be5cb1289a3f2d291c036f2d579c6c8512fbe940adbe8be77a3

  • SSDEEP

    98304:NyrC8gMtKbCXjn9IQX5uGiylK8p/DaCO0Y54WxTIln+HTocMxJa67EANewDbXwll:N2C8gHbCXZ3XQsKIanF0n3uQXbqIK

Score
10/10
pandastealershurkcredential_accessdiscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Panda Stealer payload 1 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9419ee4ef3337a61b5f7a0a3949d2a8d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\9419ee4ef3337a61b5f7a0a3949d2a8d_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~2.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINRAR~2.EXE
    Filesize

    490KB

    MD5

    4a7d68567152344a29b4c6501f95ec07

    SHA1

    9e964e8a58c21d55756eb63013e8e12b071e92a1

    SHA256

    4fba76f8161955ba741ac19f40e4e43bc8086707e8c2ccd624f95054abbc59cf

    SHA512

    7adb1b17872c2a297899ab6e19636d128211005165dd38239a5ad056a9d118e32824e12d65033cd054e0ffe0a2df08ad5fead1dda8f9052c0fe2de5de61bbf28

    Download Submit

  • memory/2224-0-0x00007FF6B8710000-0x00007FF6B8D27000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2224-1-0x00007FF8F2250000-0x00007FF8F2252000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2224-35-0x00007FF6B8710000-0x00007FF6B8D27000-memory.dmp

    Filesize

    6.1MB

    Download