41496930789c15370bbdd26245b146b74085c766d2a99602bd770ecc8ed6ba9d

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe
Size

856KB
MD5

aefae01a8ba70479c3c0fb89e3cb8723
SHA1

7976b8c5ea0e2e72c1eb8524002c87d3c25eac16
SHA256

41496930789c15370bbdd26245b146b74085c766d2a99602bd770ecc8ed6ba9d
SHA512

ba15dec821cec270d62e1bb4c01efc26e3df7870fb67c9635c48a017f585c2e166b8413c0ecf8c005e35a3d76b307005c76cab57b1d856733aa7a0cd9e313e4e
SSDEEP

24576:hn+9xpjhq48lt+Ug9/FoSyQPGs82biWU4:hnop0lEUgYSy83+C

Score

9^/10

credential_access discovery persistence spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2016-2-0x0000000000390000-0x00000000005CD000-memory.dmp	upx
behavioral2/memory/2016-3-0x0000000000390000-0x00000000005E0000-memory.dmp	upx
behavioral2/memory/2016-4-0x0000000000390000-0x00000000005CD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MozillaAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe"	aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aefae01a8ba70479c3c0fb89e3cb8723_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2016-0-0x0000000001900000-0x00000000019D6000-memory.dmp

Filesize
856KB

Download
memory/2016-1-0x0000000003540000-0x000000000360E000-memory.dmp

Filesize
824KB

Download
memory/2016-2-0x0000000000390000-0x00000000005CD000-memory.dmp

Filesize
2.2MB

Download
memory/2016-3-0x0000000000390000-0x00000000005E0000-memory.dmp

Filesize
2.3MB

Download
memory/2016-4-0x0000000000390000-0x00000000005CD000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads