Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 15:17
Behavioral task
behavioral1
Sample
ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe
-
Size
397KB
-
MD5
ab8508e491d55654ed9f405a8f940424
-
SHA1
892f7c38be2eb3337d739f4db725b0f809fd91be
-
SHA256
bcfbe5a54d320d71c45599a346acd80341728883a112d145c1417597c0076856
-
SHA512
88e55a08c0308de54fd2d5384b9190c4e9f61892c936fe83d9b870dcc1a67951587a729ad9cf76b71213b68cf626f53228efd2f8eeb354dee42baf06ceaeb56f
-
SSDEEP
12288:HwPckxPGuI5SD1csTcTX/4dpKHabucRI5yRoganssOP:+xtDNcTX1HqFR9anssOP
Malware Config
Signatures
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/4544-9-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-11-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-12-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-13-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-14-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-15-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-16-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft behavioral2/memory/4544-17-0x0000000000400000-0x00000000004E6000-memory.dmp Nirsoft -
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4544-9-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-11-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-12-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-13-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-14-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-15-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-16-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView behavioral2/memory/4544-17-0x0000000000400000-0x00000000004E6000-memory.dmp MailPassView -
resource yara_rule behavioral2/memory/4544-0-0x0000000000400000-0x00000000004E6000-memory.dmp aspack_v212_v242 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\owner.exe ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1276 4544 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4544 wrote to memory of 1056 4544 ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe 89 PID 4544 wrote to memory of 1056 4544 ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe 89 PID 4544 wrote to memory of 1056 4544 ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe 89 PID 1056 wrote to memory of 1516 1056 net.exe 91 PID 1056 wrote to memory of 1516 1056 net.exe 91 PID 1056 wrote to memory of 1516 1056 net.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab8508e491d55654ed9f405a8f940424_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 3962⤵
- Program crash
PID:1276
-
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess3⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 45441⤵PID:4948