7896cbbec89f6f79883a877a25aceeb9c6f0401601ffd1411c0849b150c661b4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe
Size

6.5MB
MD5

bc4d0ad6d35b5f7696aaa117265815da
SHA1

f3b021f45f1e54e5826579dc797d9d3004d2fb4a
SHA256

7896cbbec89f6f79883a877a25aceeb9c6f0401601ffd1411c0849b150c661b4
SHA512

b732f02b5ebdba430805cdbad99df628221027657aaef80bc2c290aca7ef881e67292d0afdb7d6b697774484757868f69e898a02451e6bc5a41d9963172a1c8f
SSDEEP

196608:lLAjOEDzxiTh4vJSSZkU0STmtiamai/aH4pW:lLAKko4zDPai/k4pW

Score

7^/10

discovery pyinstaller spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2560	maincheacker.exe
1472	maincheacker.exe
3360	start.exe

Loads dropped DLL 13 IoCs

pid	Process
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe
1472	maincheacker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org
11	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023446-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
392	3360	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2560	4868	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe	86
PID 4868 wrote to memory of 2560	4868	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe	86
PID 2560 wrote to memory of 1472	2560	maincheacker.exe	90
PID 2560 wrote to memory of 1472	2560	maincheacker.exe	90
PID 4868 wrote to memory of 3360	4868	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe	91
PID 4868 wrote to memory of 3360	4868	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe	91
PID 4868 wrote to memory of 3360	4868	bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc4d0ad6d35b5f7696aaa117265815da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\maincheacker.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\maincheacker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\maincheacker.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\maincheacker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1472
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 824
    3⤵
    - Program crash
    PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3360 -ip 3360
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\maincheacker.exe

Filesize
6.4MB

MD5
a23e6706583a6dda6e53f89f191314b3

SHA1
b7dc911bbe3e382b78fe4eb963eeb4b95c2b8919

SHA256
cde0fed5b1d9ed88172900284e6603b959d28c74818142dd59397804ac368745

SHA512
41ca11a3cad297061efecb392e2e04c41db47a22db7027968ed2737e342194fb7342d5aaf3ed9aada417c97261bfa671f140b1e4eeee73fd54674e4b893ca9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe

Filesize
24KB

MD5
5b4ff415e917a4bd650dfa998741f31b

SHA1
012aa727ab67ef103f2276cf6571b04035863ce2

SHA256
7ad280d630cd23d8e1bf071323ac5cd35bc389f1fc3f7c5aae147a3e5983d635

SHA512
266187d4eb6a424e11c1ae689c0bc56c649a19d6b4592b3df14108d15f15c06c6e843001e3e0e08108853443db02d26654eaadf8a53f1dc39c89c18c7ad5355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_bz2.pyd

Filesize
85KB

MD5
6fd0281bca7eee0f354a91f958714edb

SHA1
c7f643955d589f6d3093459327dcaab3b7ae4a32

SHA256
03d8966f4d8ab347140a3ad9938fb91db11e01e028e980721451070eb0483cf7

SHA512
86b2944acac0601273a7534b5698991ed0475cc3f913f179fad27aa8cb7732ea56d9e70b6e959fb55795384ed652565586b8a10474864daa4874321f31b4a416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_ctypes.pyd

Filesize
124KB

MD5
da2ff1686ab85c37a2a247bb8595c258

SHA1
2168b91cd87f89f9a5590775bd6610eabc5d4cb7

SHA256
279560b61e20b869a059a103fb010093f9e367420bc81182646e357de8b9740f

SHA512
7711cb3a8302af491be5a33923032be4633400ee5c5d65937307f8c5e14674f0f32c96569e77fe894728a9f4dba1fbc43a984e8bd262721b0f8949d8f7bb93f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_hashlib.pyd

Filesize
46KB

MD5
3400da54faf3c3128f9c9e126a881be0

SHA1
6352074113ecb5b5ecf0442d70898f2acb933e91

SHA256
68913d6d5102d32dddf5a21a4770ac2791f29106c0d2d3a3d0192356ea366c66

SHA512
d9d9ca6a27792af60e36fab9d623bcdd9727efd565cd8c3787da70f10e168ded90d9208f9c9c56a5815ab316779dc05dc799fbf8e327c9ef18765c6c529886c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_lzma.pyd

Filesize
160KB

MD5
0caa4da7b74fc8e8f08ba736274bdb46

SHA1
4b46dc22c81fa3558537249c994614def1fd8cce

SHA256
167c5550b93541c703c8afeb4d912719d5039230a7efce8f4bc500f175252ed8

SHA512
47f1f338ea4055a4b88691ebb511ee95d29943aa7d519a7d5f513bef26641990c1f31ad2839e7ed0342a5a262255b770ca922f7d173c998e0ff11c594bf8efab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_socket.pyd

Filesize
78KB

MD5
49f417de4aaae069d5b2d5d5a4ddabe1

SHA1
56772fe3d3a7f7865d412e3b27c11ec7e7c9e3c1

SHA256
f1930ca4c78029fb41f3f661194b9d3001d0a99f45d68bf3a4a87d9ea36aad20

SHA512
83f5be813cb8c0d738dbc27ab45ac561aa0dfe65c5caf72f47a72e3afa05e7e750ac63cf9a42a983a86ce33b25bb1426e0b2e78d62598616fd040b72c34419f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\_ssl.pyd

Filesize
151KB

MD5
4ddf64b25544d11a28215052a394b457

SHA1
8c9d674f5cd29ba44fc6f525a184cbb7934fe006

SHA256
b673e41306d6df496151017ecb153a69e0be509b448697d70427ac82c1664974

SHA512
231bbe17bf1e5bf0173e396ea3703f93a48404a08eb6665f1f20c3d107b7370859fff2b5ec5f2515a47f7541ba3426eaca624ee1e13b1bf9da38edc3177dea7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\base_library.zip

Filesize
769KB

MD5
eb2405b0614f8d5fcf08941f5b691595

SHA1
d36bd2b278bd031a97ab5b8fb9501a90f1e0684c

SHA256
a4b69a12bf6f52fec0a801941f21f8d120056d824c43a73e5709b59183c5f092

SHA512
492bf62a1e76c8188fe9486019c089c471f6277249440ef64a0e16b635956e9c1f0edd4d8101c3092a346b64c49b6fe34cd2548b2146091ad8803ee1a1361f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\libssl-1_1.dll

Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\python38.dll

Filesize
4.0MB

MD5
b8a6aa94b49a9230f554a15ee6e58b63

SHA1
bbb48404391262242f2dc3b7fec045283a2c4416

SHA256
021f222f0bacacc490081f5a37bd78148e34f22fabe89587e1e0c6841390b7c5

SHA512
464d702b1291fd392ce767130f054a0d32b024480ffe4ad60fbc5cc6735031be28d1839db530f7a20b03b3eda782d324482f38111d9e9afc2cae3579f07e52c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\select.pyd

Filesize
27KB

MD5
f3702dfaffad5d95ac7022abf84440f3

SHA1
a78d5994aad9a82b8cfaff1ef4eaba38bab9ce7e

SHA256
cea18e860d251fbf4e9bf6e8689ba23b43db4cdb9fd421270e8ed1c3b1aa4401

SHA512
07cadc08bfb86633c8d54b717fb06217af0c586ddade537a6000ae662d2adbd3107e30d32f28130041357d108eaf1f67a13ae3858be0d18daf2123666d2c26c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\unicodedata.pyd

Filesize
1.0MB

MD5
b36dbbfdbe686f33d50414c288c1acb8

SHA1
b389d6a8bdd9bb7d2b579a48e8e9ba94fca499bf

SHA256
5ed7787555704626da817b872c60eac09b984ffdf00d5aacdf06b6d9a935b105

SHA512
7ad66bb84b38b8153279c17ac80be44d0f3b96a937a906fb2dcaf664fbb9d0cb696a0d8ad8942951e68ef6b7ac7855fbc5b59bca03d262471b9f74809db5ac91

Download Submit
memory/3360-79-0x000000007281E000-0x000000007281F000-memory.dmp

Filesize
4KB

Download
memory/3360-80-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download