Overview

overview

7

Static

static

3

b35cbecd54...18.exe

windows7-x64

7

b35cbecd54...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 11:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b35cbecd541ee0a6084bf77d5ccfb7c0_JaffaCakes118.exe

  • Size

    216KB

  • MD5

    b35cbecd541ee0a6084bf77d5ccfb7c0

  • SHA1

    7eea782353b9f310240a397f6662c073a4192147

  • SHA256

    739f5033de9c24e0eac42a1145c4a7e3a0f00d68fa9a64d578df86b767116fe0

  • SHA512

    1acd55ec774b515c08d8909e8a517a527976f126de57804beb332fbf63ba13dbb43c4a2ae095aa108da9f250333147f802851132cb13bb8bf01f27450c28eb6d

  • SSDEEP

    6144:eqYuCNcXK4W/UhPcFG6UyhbX4tjRuV8TFJZwc:eqYAa4W/UhPeGiVyzRJZwc

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b35cbecd541ee0a6084bf77d5ccfb7c0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b35cbecd541ee0a6084bf77d5ccfb7c0_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\F7A8TM~1.BAT
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\b35cbecd541ee0a6084bf77d5ccfb7c0_JaffaCakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3036
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\F7A8.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2524

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\UserData\F7A8.tmp.bat
          Filesize

          520B

          MD5

          c063bb3a593a96398b1c6c5893fd1e60

          SHA1

          6eb38553a9b295e17a3178b99971067eb36980c5

          SHA256

          7701c910ce18aabb8822453083103307f491ba7a555a778b351d304d176996aa

          SHA512

          5b49138f549b127f473c4d3733d6d79cfd5ad60f6a87e2eabdf9fee1b2e3f4945c32aab74fef50e6c15dd0feed0f351488061746fc855c59c4386bc9ddd1d1e6

          Download Submit

        • memory/976-0-0x00000000005D0000-0x00000000005D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/976-1-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/976-4-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download