Overview

overview

7

Static

static

7

bb22b7cd18...18.exe

windows7-x64

7

bb22b7cd18...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb22b7cd181856e19f41db0463c2a6da_JaffaCakes118.exe

  • Size

    263KB

  • MD5

    bb22b7cd181856e19f41db0463c2a6da

  • SHA1

    19eabacb8fcb30d8695e09b7a30ead73c61367bc

  • SHA256

    921da0a7b383822beed81fae81762b525bced3706af6d791ebfcd1c546ab6810

  • SHA512

    7a737a68e227f6ecf9f724d09aa069d2275a89336edbad7bb75131b6b687b108519f9fda572f64d9f6f349fa3df1dfee091e90986ffc88f164985d433e7d9819

  • SSDEEP

    3072:T4d5Eow66VJaolwYG0/SSOIYyPrOeYysgUFuku8dD3/R9cIROdwJEax0byj164S4:kdv6KY4uRh+Zx/RuINx0+w/bD6KL

Score
7/10
credential_accessdiscoveryspywarestealerupx

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookAW 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb22b7cd181856e19f41db0463c2a6da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb22b7cd181856e19f41db0463c2a6da_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookAW
    PID:2028
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:2724
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2756
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
      2⤵
        PID:2156
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
        2⤵
          PID:836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
        Filesize

        1024KB

        MD5

        d10c27f59dfdc972c4de635687df4614

        SHA1

        3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

        SHA256

        71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

        SHA512

        4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

        Download Submit

      • memory/2028-0-0x0000000001000000-0x000000000106B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2028-87-0x0000000001000000-0x000000000106B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2888-18-0x0000000002BF0000-0x0000000002C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2888-34-0x0000000002CF0000-0x0000000002D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2888-57-0x0000000002370000-0x0000000002378000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2888-63-0x0000000002490000-0x0000000002491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2888-69-0x0000000002370000-0x0000000002378000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2888-71-0x00000000022A0000-0x00000000022A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2888-80-0x00000000023D0000-0x00000000023D8000-memory.dmp

        Filesize

        32KB

        Download