Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 00:57
Static task
static1
Behavioral task
behavioral1
Sample
a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe
-
Size
124KB
-
MD5
a09c0fad3033777e3051d6aee28e22f2
-
SHA1
f262f770a2fd61034101961cf7e59f436e5ec4e2
-
SHA256
4baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c
-
SHA512
26d85b626767686ef0967f00dc4e223efbf979664c6f11fad656b96730d2b81e4078c7de4c168bce9b5892bb487377aea8f72c65535a8a31895d0ca96e6efa7a
-
SSDEEP
3072:Q9gg2CUptT76YtFD0PvqM28GSff3KDRZHt5HX00C9L:6/Ur6YtaPDj455k0a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2164 trivax1.Bin.exe -
Loads dropped DLL 2 IoCs
pid Process 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2460-2-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral1/memory/2460-3-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral1/memory/2460-7-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral1/memory/2164-17-0x0000000000400000-0x0000000000477000-memory.dmp upx behavioral1/memory/2164-27-0x0000000000400000-0x0000000000477000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\trivax1.Bin.exe = "C:\\trivax1.Bin\\trivax1.Bin.exe" trivax1.Bin.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trivax1.Bin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PhishingFilter trivax1.Bin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" trivax1.Bin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" trivax1.Bin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery trivax1.Bin.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" trivax1.Bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe 2164 trivax1.Bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe Token: SeDebugPrivilege 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe Token: SeDebugPrivilege 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe Token: SeDebugPrivilege 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe Token: SeDebugPrivilege 2164 trivax1.Bin.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2460 wrote to memory of 1196 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 21 PID 2460 wrote to memory of 380 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 3 PID 2460 wrote to memory of 432 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 5 PID 2460 wrote to memory of 492 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 7 PID 2460 wrote to memory of 500 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 8 PID 2460 wrote to memory of 592 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 9 PID 2460 wrote to memory of 672 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 10 PID 2460 wrote to memory of 744 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 11 PID 2460 wrote to memory of 816 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 12 PID 2460 wrote to memory of 856 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 13 PID 2460 wrote to memory of 976 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 15 PID 2460 wrote to memory of 236 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 16 PID 2460 wrote to memory of 112 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 17 PID 2460 wrote to memory of 1060 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 18 PID 2460 wrote to memory of 1116 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 19 PID 2460 wrote to memory of 1168 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 20 PID 2460 wrote to memory of 1196 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 21 PID 2460 wrote to memory of 2044 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 23 PID 2460 wrote to memory of 1424 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 24 PID 2460 wrote to memory of 1612 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 25 PID 2460 wrote to memory of 2360 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 26 PID 2460 wrote to memory of 2160 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 27 PID 2460 wrote to memory of 1856 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 28 PID 2460 wrote to memory of 2164 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 31 PID 2460 wrote to memory of 2164 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 31 PID 2460 wrote to memory of 2164 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 31 PID 2460 wrote to memory of 2164 2460 a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe 31 PID 2164 wrote to memory of 1196 2164 trivax1.Bin.exe 21 PID 2164 wrote to memory of 380 2164 trivax1.Bin.exe 3 PID 2164 wrote to memory of 432 2164 trivax1.Bin.exe 5 PID 2164 wrote to memory of 492 2164 trivax1.Bin.exe 7 PID 2164 wrote to memory of 500 2164 trivax1.Bin.exe 8 PID 2164 wrote to memory of 592 2164 trivax1.Bin.exe 9 PID 2164 wrote to memory of 672 2164 trivax1.Bin.exe 10 PID 2164 wrote to memory of 744 2164 trivax1.Bin.exe 11 PID 2164 wrote to memory of 816 2164 trivax1.Bin.exe 12 PID 2164 wrote to memory of 856 2164 trivax1.Bin.exe 13 PID 2164 wrote to memory of 976 2164 trivax1.Bin.exe 15 PID 2164 wrote to memory of 236 2164 trivax1.Bin.exe 16 PID 2164 wrote to memory of 112 2164 trivax1.Bin.exe 17 PID 2164 wrote to memory of 1060 2164 trivax1.Bin.exe 18 PID 2164 wrote to memory of 1116 2164 trivax1.Bin.exe 19 PID 2164 wrote to memory of 1168 2164 trivax1.Bin.exe 20 PID 2164 wrote to memory of 1196 2164 trivax1.Bin.exe 21 PID 2164 wrote to memory of 2044 2164 trivax1.Bin.exe 23 PID 2164 wrote to memory of 1424 2164 trivax1.Bin.exe 24 PID 2164 wrote to memory of 1612 2164 trivax1.Bin.exe 25 PID 2164 wrote to memory of 2360 2164 trivax1.Bin.exe 26 PID 2164 wrote to memory of 2160 2164 trivax1.Bin.exe 27 PID 2164 wrote to memory of 1856 2164 trivax1.Bin.exe 28 PID 2164 wrote to memory of 2460 2164 trivax1.Bin.exe 30 PID 2164 wrote to memory of 988 2164 trivax1.Bin.exe 32
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:2044
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵PID:1612
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}2⤵PID:988
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"2⤵PID:1168
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:856
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:1856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:236
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1060
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a09c0fad3033777e3051d6aee28e22f2_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\trivax1.Bin\trivax1.Bin.exe"C:\trivax1.Bin\trivax1.Bin.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"1⤵PID:1424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:2360
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵PID:2160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD596f4ed1e6523ea5fd57e457fe8e12977
SHA19c48d689c0d46dd4b30f3441715a384014993be2
SHA2563e017d7f2bcc0fa41a28f1403d006ab19e46c209b276151c0e53ebda7fe50f64
SHA51251f9c662f29090a940a6d231e8bf607f43368f73e415edc3138b2ae5f47ab7fb8c96f460e0c822549923c33077c2794aa01586941cecf0f2be739f096a351a08
-
Filesize
124KB
MD5a09c0fad3033777e3051d6aee28e22f2
SHA1f262f770a2fd61034101961cf7e59f436e5ec4e2
SHA2564baef42f07124b819866990e97745c2d44a95340fa0a54b8d4eddf7f2a30086c
SHA51226d85b626767686ef0967f00dc4e223efbf979664c6f11fad656b96730d2b81e4078c7de4c168bce9b5892bb487377aea8f72c65535a8a31895d0ca96e6efa7a