Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 09:11
Static task
static1
Behavioral task
behavioral1
Sample
aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe
-
Size
166KB
-
MD5
aa6ac5e9b67731b3bdd806a9a5119d56
-
SHA1
8819e74050abe93af4f54d97726146aea507a221
-
SHA256
43aacf7e7cee4343764e59581133e12edbb1df256e533da912b995de73225286
-
SHA512
7ac00a76059504832ee74d55f18839320cb23272cee1df1f2468f84f856576cc6c1aba92451f8a8cddb89bf9a6a8349d964663bd39ef99a658d644fc0c01465d
-
SSDEEP
3072:rT4Jfb3zQJBSPywlV1etp1gViNiFj3mLNMCMNrs:rTsj3zsSP/otpIQcmLEr
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2208-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2896-12-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2896-13-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2208-14-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2208-79-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2796-81-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2208-188-0x0000000000400000-0x0000000000445000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2896 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 30 PID 2208 wrote to memory of 2896 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 30 PID 2208 wrote to memory of 2896 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 30 PID 2208 wrote to memory of 2896 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 30 PID 2208 wrote to memory of 2796 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 32 PID 2208 wrote to memory of 2796 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 32 PID 2208 wrote to memory of 2796 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 32 PID 2208 wrote to memory of 2796 2208 aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\aa6ac5e9b67731b3bdd806a9a5119d56_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ae2a6ddfabacae01856d2cebdb7169b7
SHA15f5d55b837b318af20024db2a2f6c7fe2710c5dd
SHA2562ee31d72f566dd87b6c48f0f978687c1844fc7d6dd6286131c384f5353eb44db
SHA512c666534d8e2e6dbf9e8f9f76815cb1d9641157e507ad6df9bad1af075596ccbdb8712d0a395fd52bfc16eedbf2f8b11732be4f61627adac702d1f49c6b626532
-
Filesize
600B
MD563d6395ad7c091d1dfeac56adff1e952
SHA14a6388ee697c3ad0a62d3c31555e4b41fe2e6545
SHA2564b4ee1dfa0a5f43969e0680052a6a594266b6122dd396598620839ec58c9fe19
SHA512f0e98592a8ab1dc07411eecd0c66a5a4337f3e644b2bc8a58cd4d50ea0e9a9e05a76891fcd74f7e598fb6f199ee1df20a2f15ac75764d8e3d5cb04a7ead71d97
-
Filesize
996B
MD5ba997112b43daab7742a9da9c14c6f4c
SHA1b1cf8fdef6503998a1e199a1939f1f165c846cc1
SHA25615950158796245730de6031c0dcde024779a4b54fcf613aebd087b29e80ce4b1
SHA51274a39623a90fad7d993aea419226ab47429338395123accacd892d2fb6b3237593dd3ef99b784845ababb0aa7e177dbb933c347c553086b6071c4ee1e2d34e94