Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
17/08/2024, 03:49
General
-
Target
a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe
-
Size
50KB
-
MD5
a1184e1690e4d0e3006f67ef21707693
-
SHA1
0865edbe60c018baa5a0014a63977a4da008f5ca
-
SHA256
33c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d
-
SHA512
7ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac
-
SSDEEP
768:1kpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:QkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
-
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Discovers systems in the same network 1 TTPs 4 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet view /domain:"WORKGROUP"4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind "\\"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet view \\MUYDDIIS4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\net.exenet view \\MUYDDIIS4⤵
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\find.exefind "Disk"4⤵
-
-
C:\Windows\SysWOW64\PING.EXEping -n 1 MUYDDIIS4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "Pinging Reply Request Unknown"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Domain Trust Discovery
1Network Service Discovery
1Network Share Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
2Domain Groups
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
2System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5a1184e1690e4d0e3006f67ef21707693
SHA10865edbe60c018baa5a0014a63977a4da008f5ca
SHA25633c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d
SHA5127ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac
-
Filesize
24.9MB
MD521fb131b524eb2b60b2ea6dea1050618
SHA1235d8778f3c0740b4d3f033ac1da89718309f457
SHA256b6c186d07ff98812d30c501dcdc61a4240f8685b96748c0099b23b9e1c2539c3
SHA5121893bde408fb8bc0dd3b1e791b676ba8d981d2599ff82e1cf93edc406757ed8482ac61fb43ced395819bbd23e928835abbf89a694b6c5b4eb4903ab137081d87
-
Filesize
49B
MD59a8c2d0c510fd316456d479cd25a9d6c
SHA1ea9fc69f9a8c7a2ed97a3f6ce6a9460f46b8e0d1
SHA25675895b0b466a254f21114d9cf71d18ef2413a40aed6c3c989b6496dbb345068e
SHA512617aecd798d2bc8d08cf9d771b3138068fda70091c9dac7d6a031a322829d55960b601baa3085301f34961c0eccaa18e20aa3823469d3d0eb21a639fcf61a0b8
-
Filesize
7KB
MD54c59f9d7f01ab9379c629ad4d92a9d21
SHA180d61eb769e20a39680f2f07bfb88778b82e420d
SHA256dbf711045aef0ec482ee36ea5beeba587c6331c46d5c749f32e422867163dc13
SHA512d72c71cda4e5b265695a45297678698628540c649ef28bade8fdb916d9763b87aab27ef5ff443b1c0249be0d7f48c7a65f5f21bb2fa0416bfe8ba3a534ccf382
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
153B
MD5b256c8a481b065860c2812e742f50250
SHA151ddf02764fb12d88822450e8a27f9deac85fe54
SHA256b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12
SHA512f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360
-
Filesize
64B
MD5e29f80bf6f6a756e0bc6d7f5189a9bb2
SHA1acdd1032b7dc189f8e68b390fe6fd964618acd72
SHA2568bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7
SHA512f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e
-
Filesize
72B
MD559f2768506355d8bc50979f6d64ded26
SHA1b2d315b3857bec8335c526a08d08d6a1b5f5c151
SHA2567f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569
SHA512e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028
-
Filesize
234B
MD59849feb6ad812a7e1ac909738b31da9a
SHA1cf01ec9aece21ffdd610f9c6e29bd9fcc9466114
SHA256d547e4e9b3633d74b9c05f4d394955fa691739bcaa6f80ca9854e3d296555612
SHA512a19058ecfb5e37473f7cef9c0958de2c83ac48c810d57473bd106801101bd24a04f1702cbcde9a64db5a22e9b70f23c68748f601d954e0dde2692e915221ce7e
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB