Analysis
-
max time kernel
127s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe
-
Size
502KB
-
MD5
bdec8865e624dae2383d2fda11e44078
-
SHA1
5c01005faaf9a74add894274b58827b73d264d8b
-
SHA256
a696cac7fa86028b6a11fb1cebc3c2c203818086472511fd9dfa01206b4d8718
-
SHA512
0ab66a27e866fb35f1e1d319458b2c27676317322c2d33ae4accd251a1033d30d243719228c5e396c7857191d8369166f60b0ff5b70534874735a64a80b0f34f
-
SSDEEP
6144:OxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHe:OxQtqB5urTIoYWBQk1E+VF9mOx9q
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Myname22
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral1/memory/2692-8-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2692-10-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2692-13-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2692-15-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1748-17-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1748-21-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1748-19-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1748-28-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2692-8-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2692-10-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2692-13-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2692-15-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1748-17-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1748-21-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1748-19-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1748-28-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exedescription pid process target process PID 2860 set thread context of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 set thread context of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vbc.exebdec8865e624dae2383d2fda11e44078_JaffaCakes118.exevbc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exevbc.exepid process 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 1748 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exedescription pid process target process PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 2692 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe PID 2860 wrote to memory of 1748 2860 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84