Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
17/08/2024, 03:49
General
-
Target
a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe
-
Size
50KB
-
MD5
a1184e1690e4d0e3006f67ef21707693
-
SHA1
0865edbe60c018baa5a0014a63977a4da008f5ca
-
SHA256
33c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d
-
SHA512
7ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac
-
SSDEEP
768:1kpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:QkQJcqwmIfj+ECJG/kvO
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Network Service Discovery 1 TTPs 1 IoCs
Attempt to gather information on host's network.
-
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Domain Trust Discovery 1 TTPs
Attempt gathering information on domain trust relationships.
-
Permission Groups Discovery: Domain Groups 1 TTPs
Attempt to find domain-level groups and permission settings.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1184e1690e4d0e3006f67ef21707693_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\net.exenet user Admin4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet user Admin /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group5⤵
-
-
-
C:\Windows\SysWOW64\net.exenet group /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain admins" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain admins" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain computers" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain computers" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet group "domain controllers" /domain4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 group "domain controllers" /domain5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Domain Trust Discovery
1Network Service Discovery
1Network Share Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
2Domain Groups
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD5a1184e1690e4d0e3006f67ef21707693
SHA10865edbe60c018baa5a0014a63977a4da008f5ca
SHA25633c396a39aae14f9ca745910a4b111bb812559a4bbe154cadca1381f2f5a9c1d
SHA5127ac54be3a7489d8c3bcd4b277b9fe8e671c7485137810fca90b2b89aa0c5134db93dbfe319d42e647d34d1e1b6dcf353c8a0201580660bfaeeece0bede9595ac
-
Filesize
49B
MD59a8c2d0c510fd316456d479cd25a9d6c
SHA1ea9fc69f9a8c7a2ed97a3f6ce6a9460f46b8e0d1
SHA25675895b0b466a254f21114d9cf71d18ef2413a40aed6c3c989b6496dbb345068e
SHA512617aecd798d2bc8d08cf9d771b3138068fda70091c9dac7d6a031a322829d55960b601baa3085301f34961c0eccaa18e20aa3823469d3d0eb21a639fcf61a0b8
-
Filesize
12KB
MD5ea0bc526818c5ff56b9837548daa6edb
SHA14d08721359324ea2738eba56dad5c560adf34d6e
SHA2569580d60a63da98dd72d7784ef006b22326bd2df968ab2d5adb79ce19d676abdf
SHA512f21b127dbbdd7881ef37eb3f49ca934727b9be7181a6826c3453a862a92e88672c1ffc1dbef4c6dce197c24165b145986a6d938146fb52e0bb870af3f7154372
-
Filesize
37.5MB
MD5098de1ee4d2957ae71d0529da3db74fc
SHA1ff82f2cfb38c16a499e4886e56f35d03941188ad
SHA256009f4757be1dc2f3fb8ca37ba090f5c5fd61d2fd63adeae99cb38111f412989a
SHA512649057e16d2b7cfb474390fc038d16fb7835128eb19becc118da0aafdedf09766530bac1971d61f28543fff4674c335c49866feba99bbbec9ad2fd2d56142ffc
-
Filesize
254B
MD569d9638d6b35eb1c500d9e7fce372f7e
SHA14e35e916ad3856e32e31cf220d2806fa6dbc9d26
SHA25675afed2f53a2d7e83c7dd591b03846918ad120c854000e35d5b229d35da63e4f
SHA51217cf8a32e85ee07dab30d7a9925bd9698a5fadfd75fe75613461a7862a96a4284381e97306d89c89e760a9dd0c84e315b474c7a5768b37c15a6a3bdb9bbe3cda
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
4KB
MD5b91bc08162fbc3445c5424b77183b807
SHA152b2a60db40cdcc655648a65210ed26219c033e1
SHA2567cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a
SHA5122f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35
-
Filesize
64B
MD543859f5e2fda2f87351ac51dc95769ca
SHA1ac49ccb11214b79a94a745be88a8759327f160e9
SHA2564faa5f6eec70f3a94364c77e74e89c8722ee1157d7bfb1172a2c7a2d01721b83
SHA51296abbff7014a6364bd8617b490d79ca2f4d5e4d4cc56efffeb23ab212d15f1b989a6a1814a06c6b6279ab04da3018b420ee5e2469df725f9aa9b26ffe50b0688
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
148KB