Analysis
-
max time kernel
79s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 05:42
Behavioral task
behavioral1
Sample
ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
ae10f1cc817f8529fc4baad9658132fb
-
SHA1
20c130e623f873bffab9308daea58a8978f35576
-
SHA256
a6e323659353f3e65cc073dd16fe2c3b544707a8efcf74f5605337fb9ecb40a3
-
SHA512
b1924a8f4572d924d1eaa96989a57b749de0a301799d0bfb91c00957388c9d79968d53f712ff1d29d1a027264a51f635bbcf64e6e23f406f4222d01be33fdf4a
-
SSDEEP
24576:YDUWi06YbO30iglh0xVzkUU9GVw/6LtZmXawNqBplcZhJLsrKevXP:YA8WVwv7KwNuTcZXUKEP
Malware Config
Signatures
-
Detects Strela Stealer payload 2 IoCs
resource yara_rule behavioral2/memory/2672-0-0x0000000000400000-0x0000000000549000-memory.dmp family_strela behavioral2/memory/2672-7-0x0000000000400000-0x0000000000549000-memory.dmp family_strela -
Loads dropped DLL 1 IoCs
pid Process 2672 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\J: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\N: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\X: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\L: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\O: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\P: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\A: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\G: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\I: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\Q: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\R: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\T: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\U: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\V: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\B: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\E: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\K: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\W: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\Z: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\H: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\M: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe File opened (read-only) \??\S: ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe -
Modifies registry class 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\ = "EditPlus 2" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\shell ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\shell\edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EDITPLUS.EXE \"%1\"" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\open\command ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\print\ddeexec\ = "[print(\"%1\")]" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\print\command ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\shell\edit\ddeexec\ = "[open(\"%1\")]" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\open\ddeexec\ = "[open(\"%1\")]" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\print\ddeexec ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\ = "EditPlus 2" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\open ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\shell\edit\command ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EDITPLUS.EXE,-5000" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EDITPLUS.EXE /p \"%1\"" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\shell\edit\ddeexec ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\EditPlus 2\shell\edit ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EDITPLUS.EXE \"%1\"" ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\DefaultIcon ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\open\ddeexec ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell\print ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\EditPlus 2\shell ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2672 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2672 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe 2672 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 2672 wrote to memory of 3380 2672 ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD50adb6f82125d3cb830a532da154677f0
SHA1b1abad527ee1ed71bd4f00e1bb01214185398efb
SHA2563449618ca5da3813402d38b8890462af1c90d8a991583e4c0492c3a81b60f425
SHA512199060e350c1101f138d6b2151fc465e930eed495af77aaeaab837b10ca6d1fc113e32be51b5abe9b9d6c00dc73edf2d80ce720e99aabb8cd60ceae458c640fc