fc7e2f4dda80a5980787e5b874a0651090157d06bd3822f972956a7a6b051514

Analysis

max time kernel
140s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 19:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
Size

211KB
MD5

a7f6c825e3f929768c521982554e7fcc
SHA1

99ac282f6410214aaadfee6a474dc092eb1654fd
SHA256

fc7e2f4dda80a5980787e5b874a0651090157d06bd3822f972956a7a6b051514
SHA512

3b6f259aff2b202e9f732bd8efa20604e17e775e92bf43b0911f902608ccb2006c568698fc5353845e1fb5d1b984d79223e11b61d57ab8028ece40bd5238d2f2
SSDEEP

3072:DJqC4d8CFtS2c4K7pEsedTcEjGQ88ktH9c43GZ1UA/wVE:AlfS2ZsQBkD73G1F

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	windows.exe

Loads dropped DLL 2 IoCs

pid	Process
560	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
560	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\J0285820.fnd	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\ZPDIR2F.wpt	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\VSTO.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\10.0.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\J0152558.hxk	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\OWSHLP10.wma	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\de-DE.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\PE06049_.one	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\PublisherMUI.dic	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\BD14869_.tar	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbers.sucks	windows.exe
File created	C:\Program Files\Common Files\SpeechEngines\SpeechEngines.sucks	windows.exe
File created	C:\Program Files\7-Zip\J0234000.xld	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TITLE.mcl	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\TAB_OFF.spc	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\bg-BG.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\BD21328_.man	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\pl-PL.sucks	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\Triedit.sucks	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenu.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\fr-FR.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\en-US.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\currency.cod	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbols.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\pt-BR.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OfficeSoftwareProtectionPlatform.sucks	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\Cultures.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ja-JP.sucks	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\ja-JP.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\lv-LV.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\en-US.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\ZPDIR37F.WMD	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\J0152722.bik	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\docked_black_moon-last-quarter_partly-cloudy.rec	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stationery.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\PE00726_.xlw	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\MSART5.amr	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\sr-Latn-CS.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\th-TH.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\Triedit.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\WB01246_.f4v	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\10.0.sucks	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\el-GR.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\he-IL.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\bg-BG.sucks	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxpad.sucks	windows.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\SpeechEngines.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\BD21310_.wpt	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\1033.sucks	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\ru-RU.exe	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.sucks	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\main.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\Module.mdn	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\FeedSync.xlm	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\it-IT.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\OrielLetter.cab	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\System.Management.Instrumentation.Resources.ghi	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\System.RunTime.Serialization.Resources.ogv	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\et-EE.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tr-TR.exe	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\PE06049_.one	windows.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\ZPDIR47B.mkv	windows.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\TipBand.dll.ppa	windows.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\BeCoolDog.inf	windows.exe
File opened for modification	C:\Windows\Fonts\RCX2896.tmp	windows.exe
File created	C:\Windows\Fonts\LinkFinished.dll	windows.exe
File created	C:\Windows\Fonts\windows.dll	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\RCX23C8.tmp	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
File created	C:\Windows\Fonts\windows.exe	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\RCX2898.tmp	windows.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell (x86).lnk	windows.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell Modules.lnk	windows.exe
File opened for modification	C:\Windows\Fonts\RCX23C7.tmp	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
File created	C:\Windows\Fonts\BeCoolDog.inf	windows.exe
File opened for modification	C:\Windows\Fonts\RCX2897.tmp	windows.exe
File opened for modification	C:\Windows\Fonts\windows.dll	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\RCX23B6.tmp	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\RCX28A9.tmp	windows.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell.lnk	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2824	560	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe	29
PID 560 wrote to memory of 2824	560	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe	29
PID 560 wrote to memory of 2824	560	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe	29
PID 560 wrote to memory of 2824	560	a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7f6c825e3f929768c521982554e7fcc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\Fonts\windows.exe
  "C:\Windows\Fonts\windows.exe" BeCoolDog
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\J0187829.chk

Filesize
434KB

MD5
9808194dcc6fd1e89c3114ced896cb2a

SHA1
8be4015bb7ae69633deaba4a33973e7353f82303

SHA256
34bfe8e6641f4b322b311e9d6fc3f6dcd25ceb3e857648d6d3053ffa637725fa

SHA512
48733d8d05188f8d8b530c21c02a68c41310173d23bf353b73cf11527bad33a3024d9e3219f90682ffa3a862e36973bfc1796b6ce03f9cd09da5dae9bbb6c956

Download Submit
C:\Windows\Fonts\windows.dll

Filesize
211KB

MD5
a7f6c825e3f929768c521982554e7fcc

SHA1
99ac282f6410214aaadfee6a474dc092eb1654fd

SHA256
fc7e2f4dda80a5980787e5b874a0651090157d06bd3822f972956a7a6b051514

SHA512
3b6f259aff2b202e9f732bd8efa20604e17e775e92bf43b0911f902608ccb2006c568698fc5353845e1fb5d1b984d79223e11b61d57ab8028ece40bd5238d2f2

Download Submit
\Windows\Fonts\windows.exe

Filesize
241KB

MD5
9751436bff409c226f92e6cdbd755288

SHA1
b4e0d64f2c56427f9d3f4090fd6be86eaa040d0a

SHA256
e19b94859ac2ca7b221e829962837b70232b323db01604383e2829ae57009c36

SHA512
2a0773979e6ee9e233a332b011dcf63b08ea4bbb0b17d106e87de190885dd7931ab1b5da02d08f6cbea71bdd89058c16c2716588ba046eefb930966439b9bdb3

Download Submit
memory/560-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-487-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2824-746-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-747-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-748-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-749-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2824-750-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download