0608199328a6a99f873f7ac2b24e3dae6360b7eb6d2126f65b9571fc20437c24

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Size

2.8MB
MD5

be23ca84c770caba266a752ef659fbe2
SHA1

24f070cc1050901e56da6e8ce30a9fc51979c789
SHA256

0608199328a6a99f873f7ac2b24e3dae6360b7eb6d2126f65b9571fc20437c24
SHA512

a2bb0b83699b26e8afeabee1fbc9d95123584cd21aeeb5dcaca3b0bf7356cf437b2e80767f4359d0ae23dc056237d6cbb330ea28031e0100ab978891246f07d1
SSDEEP

49152:g7OKtQuwOTN2nuqnKZ1UFxalg+q7tlb4Wd2/FRZxY2wdHqfcxtVgq:gvaujeuiK+2Xq3b4Wk8PdH6cx

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be23ca84c770caba266a752ef659fbe2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CT1060933\CT1060933.xpi

Filesize
1.8MB

MD5
ebf9a4b9b5866532fd4ddbb996b7e49b

SHA1
21b4893a07b1c3f5360db4f2b38c9e41f5e3745e

SHA256
85bf0210dc38073ca5a8ce2d9fd6379c9861c9402d0992f57c1b6df543412e17

SHA512
24561917683005a24a5b9d259940054150aebda894538bcb4a312a72e7246b4537c66b19477cadd8314fff520a985001cccd260ebc315a89cf1a2fea54d1d902

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz18B3.tmp

Filesize
307B

MD5
571ac6052902d3f4b7a74f155dbf062c

SHA1
00989f579b361b5b3c2e4486d093db4afe79d203

SHA256
4f66463e5b2324b27f4ab9ebcfb12642bf93da09a64898c942b9a7e7961debab

SHA512
dd2ce26ecf079a68acf4f7df217b1566478d9661d84eb79da07034868cf997ea7fc7c129e5eebf13718a1ee3fa6820b23eafb7a849df5a8b79eab529a3942bd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
613B

MD5
4660513d2a9ac853b1e122e743c17bc0

SHA1
f8cfd1fd8af967abda0e9fcb7d007f2fb42247f5

SHA256
65b55f4d1d165e131425547c6509bb462d78ecc16d7d9287b5952cfa5407f864

SHA512
7d02e11e645a2222975383dc6b67701f7df3892f0dc4f049d8039fb29abd3fab4ef12118a4c3a55893afc2a43dcbd1c7be18c175d58ee64c3a76030fb98626be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
124B

MD5
906e328a272dace63cd229f81934b863

SHA1
22708029bbb82c6b58c4f2fde3197765daef96c3

SHA256
352630ea6cc2822a635671eb47f399772af66f6ee22c5e8feb0d0e8040b80c4e

SHA512
7ac8597e8740433753ffab90a44946dc4d9fbce7e022debbbf6f1a2575fbab525c65c089a0c06c1c198402243621b6850b7cd911a66beda2bc82255339a178eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
256B

MD5
fc66e267ff146860bed66b26a56c5f33

SHA1
cf969c3ce3b27e2b22d9762688312e22edf6b31e

SHA256
a3a2f47c3773ba7567228c2df682c51276db3f00e81c40f3bb8e5550e141faa5

SHA512
0ebc9c413047df3be5be9adc539de42e33e2a858b23c1b74f6e7aaec73d1db67b42378b5c617edd83799f68a909e67f40f22087dc95f479ef2eecebe52fed9ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
290B

MD5
05ee2a80b6769897b2bb05637a12985f

SHA1
0fd3321f9cabe161b38570b58ef8970684c85708

SHA256
1cd72f02df8d0b7670cbc3880d5a032ff5a0b8dcd3c04dd2fa97914df4e2b6eb

SHA512
395a3039f2e8e126bf69cb097a426bdab059d55d7e627725be853c34b90256a52448c740595605e4b26897ce9b59473bf987cd8b5e61fd4098edb7db50cb4a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
509B

MD5
347de497d9671f8d6303d45a3c361cb4

SHA1
ee75136a473a94a0efaceb4a729017a549d93dbc

SHA256
6457bc3e0b7c73b3eda659fbf88b573f5fa585c3e296b00d27912386ea4464bf

SHA512
213bea33455a4a23765a233c5b3d1fe087dbd6dbd3c12f607dfee92e34450af119976099f32d9c86b88691e532f20daa84a85a294e9e2572f6cd5b5bf4b3ba79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
569B

MD5
50a64abda79ec84d0a48c6ca44f03c65

SHA1
8fb70acfefde3815880682ee5d4065dbc39c519c

SHA256
5f4086f2b7aafdeee0ca5abf4e6d2d7089cf999cbd929d936d07de3f9d1bcaec

SHA512
430c7f3a0227372f3afebc1e0cd8d1ca5379fc727918bf652c6efb707ee83f913eac5d44c958bf20c931362201ea93e8514f3a6ba113f11a50e3c0c56d2235d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
660B

MD5
f02628024ce7de7ad81fd660c7011eca

SHA1
a9e8255022055027f9fed21648f2deeb1d2d4dff

SHA256
0d8dda868caa123314424545cd52f37ab285684b858efec2dd63920f5af4d962

SHA512
6c930c53eb78388f98d6649e19375f9da1bfe8fbbb942bcdb123c8988c229629665af3e104e544c1098cc93da8721bf2ceebb760353f71f0874182a594c20b33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
848B

MD5
ac4ac26cab77f4074c2a6b3fdd6755b5

SHA1
344794bfa0da4987539f973d81a09c4facc14a3e

SHA256
a8b535978de9e1c331a8b131cb60a72459265f8ab850693e29880f88d4c4f03e

SHA512
c1ff4932477e9a822f5e7aae0bd8c568b383fc780f7882d7d33bc5677c04bb01531c986a03028017bc24515bdd0b5e19489f2a0856c62dd9a849d513376574dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
442B

MD5
dc1996085e0c9c6f28ddb5585af20902

SHA1
4c64a8c7a83822696f752fbcd5f2ec9098c32ec6

SHA256
1b00389f4035520ec015a517529abc98980efc9d8006a1d77f9c07e16bc7ceaf

SHA512
8652ae97ff002c048f4fd846fac9720dc8fa42ad41764f4654675d821867511bd8b78a1b24620c565fab55613f1bdb87e63030d0ca331b7309b01b4e66ed5b66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
708B

MD5
2ab493beb950e4b9e8af190e6dc135e2

SHA1
5657f14c4e35a23308245e622a9e71dfb56153a6

SHA256
bc324aabed42ad31501cfbeee1abddd16f91536c9ca805694f93a4abdec46784

SHA512
bb32a7fcb8363ca71a1a3becab4f6637b850f870c55bb7a9c352f8014bbc6805ca0c30d6916f0ae4e4735b77cec69e4f83684485b71b5471e7bd1c4671cd0496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jeoljg2q.Admin\newPrefs1.js

Filesize
753B

MD5
d1bd3f54f8a7faafc87190960be82536

SHA1
3492155fdb6ab1f5d89abbc299e26d8d451de697

SHA256
800848c9298e1982260a5fb0509d84d20e0a52292d69789340f36601ae4e5308

SHA512
f0e6d11e3f99d1379142c6f51b736c0221dda421d542719bd029a0491aafbb4c9158eba188605569f6c63ed1e752ba92d8e73d55e07b87dfc34ea645dd3dfab7

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\InetC.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\nsCRandom.dll

Filesize
145KB

MD5
9ad78702635cd2f0ed3433628454fecd

SHA1
c786a3cb7ff21214c04299ffc37e4f9852afe6bb

SHA256
673d8ffba022c8196129d537973ad18049192f5cdeffd027ee743e2a6f7e1c85

SHA512
1a15155057cece9e5600e3a446a7f25a91c7caff8b99ac995566cff18edde956789a2c549748aa267802111137fb5fb60e2aafa077caf06df060361274745398

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\nsJSON.dll

Filesize
87KB

MD5
bedcf010d3e92c6cbc30fb8ea67abe1f

SHA1
4cc451f8d84913cfbaca0286f4b415c841221d4b

SHA256
50094ae30fd6c741ae051c2d6d09a0af957caf5d48fa96f232f9279e7ded2103

SHA512
8394b57aa401767f259f2ba14ddc17e4ac022f7e6f392d790e3466b0a2801a210a71182abaf6cc5fc8d160ef79ba20b27930dc33763b9db497293e52ca52f38d

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\nsPrefsJs.dll

Filesize
169KB

MD5
947cf03bd51a4644cb8e59221485343e

SHA1
4edb9082cda4834f3b08a501e75e21a430197dca

SHA256
23e4665fa2ac4434aa623b8818d478fd7e30b3a9fcb7ee43027b4c1771082ef1

SHA512
6fad92247cbfdf623446f2b06671888d71f1cb23521e6de0fffb9fb56663d51e38946eb2958c2b5462f5bbb5ec999a6ab5ce5b0d46005b82f065863b187d8239

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\nsUtils.dll

Filesize
340KB

MD5
e34567b8e1dccb066ccd0173d5818498

SHA1
3ce6f07c3c06bb89d6b422062cff9dc66f13f856

SHA256
ffd585c14f96f869f3c3ce6d0a2d47bc0a2575c02bde9d4057bf7fa5fa81c6aa

SHA512
dcac041914f7ebaa96ced5672752726709155bb8f8709f2ec215e66de7163e2496f3d73a5c9ef431668f814b633182012f728f099771462a8558e34acc3498c4

Download Submit
\Users\Admin\AppData\Local\Temp\nso1AF2.tmp\nsZip.dll

Filesize
196KB

MD5
977d7686d7a04135444542fdc1e7c13a

SHA1
a171f9ef1eb96ca91225ea26468c1023939a5c14

SHA256
4274ea4a094ebb9eb54046c95488460afb0097d0565b8eae4fbfce981706f0cd

SHA512
4f3bef13aa1d1f57624385dfaccc4ecce201c235ba2d2d451f469d39ef5285afdd57249c7dc5a6538253ea8f7cda25964abc1eb041715730d2626694667ee4f5

Download Submit