Analysis

  • max time kernel
    79s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2024 05:42

General

  • Target

    ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    ae10f1cc817f8529fc4baad9658132fb

  • SHA1

    20c130e623f873bffab9308daea58a8978f35576

  • SHA256

    a6e323659353f3e65cc073dd16fe2c3b544707a8efcf74f5605337fb9ecb40a3

  • SHA512

    b1924a8f4572d924d1eaa96989a57b749de0a301799d0bfb91c00957388c9d79968d53f712ff1d29d1a027264a51f635bbcf64e6e23f406f4222d01be33fdf4a

  • SSDEEP

    24576:YDUWi06YbO30iglh0xVzkUU9GVw/6LtZmXawNqBplcZhJLsrKevXP:YA8WVwv7KwNuTcZXUKEP

Malware Config

Signatures

  • Detects Strela Stealer payload 2 IoCs
  • Strela stealer

    An info stealer targeting mail credentials first seen in late 2022.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 25 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\ae10f1cc817f8529fc4baad9658132fb_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240637468.dll

      Filesize

      9KB

      MD5

      0adb6f82125d3cb830a532da154677f0

      SHA1

      b1abad527ee1ed71bd4f00e1bb01214185398efb

      SHA256

      3449618ca5da3813402d38b8890462af1c90d8a991583e4c0492c3a81b60f425

      SHA512

      199060e350c1101f138d6b2151fc465e930eed495af77aaeaab837b10ca6d1fc113e32be51b5abe9b9d6c00dc73edf2d80ce720e99aabb8cd60ceae458c640fc

    • memory/2672-0-0x0000000000400000-0x0000000000549000-memory.dmp

      Filesize

      1.3MB

    • memory/2672-5-0x0000000010000000-0x0000000010004000-memory.dmp

      Filesize

      16KB

    • memory/2672-6-0x0000000000590000-0x0000000000591000-memory.dmp

      Filesize

      4KB

    • memory/2672-7-0x0000000000400000-0x0000000000549000-memory.dmp

      Filesize

      1.3MB