Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
19/08/2024, 03:40
General
-
Target
a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
a970c591be6af64b82d8285bfd648f58
-
SHA1
ba8ab2bf06b68a720b18708a3ced9d518f9abc78
-
SHA256
a9c4cea64ecebdb1de9326876b2051bb1e3d25d8199d5d8830d21daae7a36fb8
-
SHA512
32946e50f0ad97536ee984619a5c64924b38d2f1c0f7cb013c96a6d7a35b4d2ef651719f50105bc6256c9d4ca29803ab8bf1ff87b9139da17e8470c2eaa4fc17
-
SSDEEP
49152:7bSr72mlm51EiRwGn7GPF7BmXF9Hqvb9V7i/Fm6sqqrhf5+NrtzEy87NU5FXXzNm:zsoq7F
Malware Config
Signatures
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs
Suspicious Windows Authentication Registry Modification.
-
Drops file in System32 directory 27 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies data under HKEY_USERS 29 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 29 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Users\Admin\AppData\Local\Temp\a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\q1.exe"C:\Users\Admin\AppData\Local\Temp\q1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\miragge.exe"C:\Users\Admin\AppData\Local\Temp\miragge.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\system32\mlihfe.dll",a3⤵
- Loads dropped DLL
- Adds Run key to start application
- Boot or Logon Autostart Execution: Authentication Package
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\fFollower.exe"C:\Users\Admin\AppData\Local\Temp\fFollower.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fFollower.exeC:\Users\Admin\AppData\Local\Temp\fFollower.exe /install /silent3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\avto.exe"C:\Users\Admin\AppData\Local\Temp\avto.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1483⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
-
C:\Users\Admin\AppData\Local\Temp\2_load.exe"C:\Users\Admin\AppData\Local\Temp\2_load.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\2_load.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1YOUR_~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\ope3E70.exe"C:\Users\Admin\AppData\Local\Temp\ope3E70.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exe"C:\Users\Admin\AppData\Local\Temp\svchosty.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\svchosty.exeC:\Users\Admin\AppData\Local\Temp\svchosty.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1275673347.exe"C:\Users\Admin\AppData\Local\Temp\1275673347.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\fFollower.exeC:\Users\Admin\AppData\Local\Temp\fFollower.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5c41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Authentication Package
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Authentication Package
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125B
MD545a9a2084a44d18bd0f446d6855908e4
SHA12b00aab2d6fd2e8fe429facce198d7093559adf1
SHA2562ef87fbd5f3ec904bc116f3654421f4c53dc5438bbf36fa029dc8af8813f9646
SHA5125e5d0c962cfa6faffafd32e10d1e38d90e12c184ab77d72907108b98bf73bdee685300c44ffae937203c7f74ecb8110794b542a4c3ba4831c9b3bafc77dc4d84
-
Filesize
2KB
MD5f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1f4eda06901edb98633a686b11d02f4925f827bf0
SHA2568d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA51262514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436
-
Filesize
453B
MD520f0110ed5e4e0d5384a496e4880139b
SHA151f5fc61d8bf19100df0f8aadaa57fcd9c086255
SHA2561471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
SHA5125f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a
-
Filesize
447B
MD526f971d87ca00e23bd2d064524aef838
SHA17440beff2f4f8fabc9315608a13bf26cabad27d9
SHA2561d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
SHA512c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15
-
Filesize
2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
Filesize
8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
Filesize
4KB
MD55565250fcc163aa3a79f0b746416ce69
SHA1b97cc66471fcdee07d0ee36c7fb03f342c231f8f
SHA25651129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
SHA512e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134
-
Filesize
2KB
MD54bcfe9f8db04948cddb5e31fe6a7f984
SHA142464c70fc16f3f361c2419751acd57d51613cdf
SHA256bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228
SHA512bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e
-
Filesize
96KB
MD5481317e395c99048099d7cac6cee51f6
SHA12acdfe506b32c1fbfd8ee2b04745b23c44b74e78
SHA2567488cc79107e3b1a60669ad8e63aadc796202b1856aab4d540bbe4fbd8741c79
SHA5127bbdf30ae0c3455685262f668ad70675fdda99703395a9d4aacfec20687886bf833c1fd045bcf395eb28d0d2387d5ab8f1e981f644c5a51441efd8993a023424
-
Filesize
22KB
MD5e167b560b55f79b3a5e03270e93d3cfd
SHA13b027a5edcac28170e4abb9fae48328f7a441b9d
SHA2560407fe93dda5e53b82e450b81ec682d3a64d5b031ee8ca73261443e0c7e9bcf9
SHA512bef5683cd9187dfd3bcca865698a69c2eb9fa4760139f15a16eadc47487ad90171acdd8da48cbc62858eb79ee66909f363c51bcedda4ac5813322fb052b5a3d8
-
Filesize
13KB
MD521202ea609c5764bf6f24a7c8344a394
SHA1ce937acd57b5c0a0efa039fc246624cd310ba841
SHA25614c2265eba1e05758b6f64f20953310cfd0791ae25674c4b1425775edc8e1df3
SHA5129fb2875a1f8497d959413803d49e82503d0a356bce9d3419fc40e03d3ee55f05f24327b25b40626ab8a8535ab21963cbde13fcb05d096fe67ba69c6349296eac
-
Filesize
38KB
MD54f4285d6e5169fb72e11bb98d53c7243
SHA1ce1b58617d4eedab42386484c5f7b6f72d33dc53
SHA2565c7574c3bb7c489a47325ab11c787ab763a67c700d12439d75b49d1a84e88041
SHA512eab548f9344b9107fdda1140e477bec562b77788764a2aae68e5761d842891552f2e66a7ddd21ec0c2b66f6b000d87e93b80f19af602d1d2003373196d0540c3
-
Filesize
82KB
MD553de5be5e645ba76ad8411eaa74744c1
SHA10d94a6a0293820c4e90fcdb6007146e74a24f0ef
SHA256799dccbddbf417014c3aeca48371d9df76389bb6cf2880a08be582d7f65178d4
SHA512710f05537267b3ce2b16db2408f8241fb09fb56ac2c85f6ab1592bd32d646c6bb9161a34f194ae7d2b1895a3fca88593f431a9a74c18d1ad1b86c0e97e1bc10f
-
Filesize
288KB
MD59ee0b6e663e779957d1d7bde833a16b9
SHA106f64375d3c2d1c5f245ef0d05f8e1a9693a9370
SHA25693ec99341172ff4cec39dd36ecc07f95256966dd16f310de8722ea51c1af3c78
SHA512abb05a9d620d9bc36e9923783c76b83b0a5d52cde0299d2c4cb6fb060bfdb977deff499af643cc17cc6bd73eaccbb8118a021c2b7bf30dbe7e8a23aa1fb675ee
-
Filesize
406KB
MD506c859d93ff64a10e2ff5fbf66551674
SHA191bb34d719ac399f71801e932357c11f2022ae57
SHA2565793c4702a132ff09bcd9fb6f2ff460e7cc08af41a756f08e22fec8a39ba05e0
SHA51218ef5abd1fa1c8dc019de915513eea3ead7d1e829a57efdf49a839fe58f0cf35fe7ff67b10dabf975c1ae7cc1e6502a963845108a55414d0ef59b3e9534be506
-
Filesize
131KB
MD5eb5ef99e16e408979d0d4a2aa7bc107f
SHA13847fc4f39f06311991c20c2a6cf0a9178fd5b40
SHA256e1c529aa3a5fcc7c7e97d1d21390d575e194952f88bff45aeb250446749e1d89
SHA51222e8ef2f5c65c092ff0e7af493f3d6130cc78aea2e826677e6f8f34b2d8b29411438dd541e51ec880cef5942c81c60c50f412a20988a5f16f4cb8fbbd89662cd
-
Filesize
403KB
MD576a912b04174bbd59c9bf93ed5846efc
SHA10142a71e613d8a1f88c0bff9be4704b3df7e0c76
SHA256fdabec00116dfe7ee8e1019623186432f7f315911cd902b68cc77f887544848c
SHA51217a8e66f78c21698afff883c3d79ef34c044e139b13b89c25577975bcd8e4e93c51dc79846069a4eec28fa7405d05cfb1bc7c8a6f39e47e9ed83782938e9e754
-
Filesize
287KB
MD595e44a25c33c5d8242e6085fbc02b7a4
SHA19770f29496bc4c8da7c499bc6b220891a16c004e
SHA2563fdd52e7c0f0ec6e43f3e920a2368b4dadf845a8c314640b6f38975e2cf055dd
SHA512222c976d30f2d51abbcf048ac45439c90e5a945a90b2996890c4a919630ff75c7c1f9712656c08d21e91dfa890dc310a08a5b0632ec3bf86a11ce9e56f861140
-
Filesize
291KB
MD50f58fd041d61178c3aeb038e9aa8ab3e
SHA1fdd93eefdb61854b7bfa97eb73b835ee32ee3ff9
SHA256af07bcb366b3c768550f3a2043b2b1828d1ce1b1d0d41733b33f04302a9620db
SHA51213ecaa1a2ae5fd58a1c204cf4988ef82ddfb48e27ed093fda25ecca64e928c1bc97e5d3a165ec6594e6202d60ca7c853dfe3fcd7c32aa467d7f9a64c28f065ba
-
Filesize
349KB
MD5b305d3991789bf36aaed61c8ff026b3f
SHA1e001e7dd0f0ae06bdfa90f0fb3e604d3d78a2eeb
SHA2561aafa2d2ded9af080af38ec664c6974c1319cbeddee6aa367623c727962e0266
SHA5129accfe156468dd9f84c3c4138f351fb513f0a4e8e1d48c56706d2057f549adc556f0cb6e4ccc741c51b7583afda20d659b53c71941aed11db8828355137197de
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
416KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
676KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
260KB
-
Filesize
676KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
76KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
456KB
-
Filesize
2.8MB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
676KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
492KB
-
Filesize
484KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
100KB
-
Filesize
112KB