Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe
-
Size
502KB
-
MD5
bdec8865e624dae2383d2fda11e44078
-
SHA1
5c01005faaf9a74add894274b58827b73d264d8b
-
SHA256
a696cac7fa86028b6a11fb1cebc3c2c203818086472511fd9dfa01206b4d8718
-
SHA512
0ab66a27e866fb35f1e1d319458b2c27676317322c2d33ae4accd251a1033d30d243719228c5e396c7857191d8369166f60b0ff5b70534874735a64a80b0f34f
-
SSDEEP
6144:OxbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHe:OxQtqB5urTIoYWBQk1E+VF9mOx9q
Malware Config
Signatures
-
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/392-8-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/392-10-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/392-11-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/392-14-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/392-8-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/392-10-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/392-11-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/392-14-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 whatismyipaddress.com 13 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3356 set thread context of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 set thread context of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 -
Program crash 2 IoCs
pid pid_target Process procid_target 4588 2128 WerFault.exe 97 4560 2128 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 392 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 90 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97 PID 3356 wrote to memory of 2128 3356 bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bdec8865e624dae2383d2fda11e44078_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵PID:2128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1843⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 2283⤵
- Program crash
PID:4560
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2128 -ip 21281⤵PID:3052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2128 -ip 21281⤵PID:5112