3f0be1187ffe25756a13be39d61e85a2d34e88709a3ee757e3e0caa1e1776c01

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
Size

5.0MB
MD5

c0fff0b1110014b4b891dd7f80b501df
SHA1

b2f3f84ce4df05ab79973d51cb3875d69ae7fbbb
SHA256

3f0be1187ffe25756a13be39d61e85a2d34e88709a3ee757e3e0caa1e1776c01
SHA512

7eeee669630d02caf9775b9eabca4d659dcfca8ec40cffe08ad4e3c7c29c247e763b23618e716ebb3fd3e92549a37b43acd94239b46465ba3aba3b38320ae0a3
SSDEEP

98304:1zIJ8U5vaVDMf1GZ0SOeFO+a+y8R6qb6snjmxJ+FevYb3meaXWhE/sMDqHCvAyDk:1zIr5vBEiSxkAy8Uqb6N+FL3meaGhEUR

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
20	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
6	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	4872	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4872	3652	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe	87
PID 3652 wrote to memory of 4872	3652	c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c0fff0b1110014b4b891dd7f80b501df_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI36522\VCRUNTIME140.dll

Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_bz2.pyd

Filesize
92KB

MD5
f7df576a45b34728a82b4197152591c1

SHA1
77047df95c7b5a9ddf677c14d9310f12a0730408

SHA256
8caaddb25405735d503252b064c8428582ddbfb0d8f5c085bc9deb961d495be0

SHA512
8656249e78453f7244f42c0b702c39daf0c1f543572c91541d429b60522d6abd224e5c0bb472835ec055448cdd79d64b0306eddc380efc3565fa342870b0dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_hashlib.pyd

Filesize
1.4MB

MD5
8706693950f8094f10eede654e9b3bb3

SHA1
ae41f9204e9b713ec6006e21d3b235625bdbabb8

SHA256
ed177cacb897d601c47c755503d54ddf68666b16f34210c0702a58ecdb59685b

SHA512
b7602346658857feaf0f7ca885899347e94738fd8ee5af4e98b02c61117a33c68047b4fba1815b7ec4880a2897002e8647243403494cd69923a5eb3a64ee278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_lzma.pyd

Filesize
248KB

MD5
96c8487073f22656428f06649aa97bd3

SHA1
0d1b10472c3e4a4730f54f4caeb4e3a49a66f740

SHA256
2c80b37508e8e89a08d777b441a7803748abe5387a112f4709a57fc5c7248d79

SHA512
23719de0c96ac34f8c4b38827819c599a7121df43396604bac26bdd6f05313f9a40b7cf9bc27d693188deb8c0f59fbc618139bfb36203e561a6480d7876af128

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_socket.pyd

Filesize
70KB

MD5
e994703d4d5f5392a2aed6d7141b084e

SHA1
642f432cba645c347462afb4337b8b9916d297c1

SHA256
84731f7a0c4c9d71caabca56b6e9d67febef41ea4beffd4a78decc795e6f6caf

SHA512
44fd475aa47703b1473c420fc4de8a6a1fe1d034cf1fddd3e48cb8777218abb0f75608fad1fdc0f9f6427f5cbfc5d8b7dfb6634ea39ca1147824b432d34d057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\_ssl.pyd

Filesize
1.7MB

MD5
2a2839717fb4651f86a22f2d9c0a4c46

SHA1
f1ec67d8c490432d65d81b6839510c65931a0dca

SHA256
d6a82f5dd524220c37d27abdfd4ba42313682a41e5f6b7686ca12bfc6c633952

SHA512
21bbce064eb215d2adcb6034a03be1bd840e1a47e5c91bcd3d3c6634ab4fa62ae2b4cc2012ee87553655e3474e470e2c09ccf1f936f471423381a26a4d287bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\base_library.zip

Filesize
757KB

MD5
5ceca9ae180d624f2f7f7bb11c5ee5cb

SHA1
a78e58d7cf145ef805a1dffd36a85b4ed1fa1263

SHA256
6295637efe0434e3e9e8eddaf260b5b72309c3c92fd05bcfc166f63a26305117

SHA512
a60ee49269a2569df64e008be16fe8f62da8997297461a0659aadd3d16661e9cd8580b839e31eb720a617185cce1dde59abc637da0175853fd1359bfba06ef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\python36.dll

Filesize
3.4MB

MD5
0928808ad26265ee42466655904c1f2a

SHA1
47180b01773dc00eba5fc41c0778a9e3e30a4231

SHA256
45792aded5f8a2faa34becab0d40cc72e6e6d46c609f66bfe16d121776335e32

SHA512
dfb5cf544172e19b08050c596860c839566515c167c509e66dd9ea15183693a9b79ef40b98dab70c2499dfc6d19c98d523f243b8748d1c14d3d684e25d280d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\select.pyd

Filesize
26KB

MD5
e737d0a7be69cc78e1db7e195c3d8ca7

SHA1
61132b7441549658481e25ee861f98115f0dcb4c

SHA256
bab0e4d7cdde2c7ffe061b3ce363765aafe169847d1ac98b96c81a9ac778cd1a

SHA512
c1b1de455aa22800ba9f762529add4e21d29470b47fcce42790d9fc3756aa79a260a3b412ba9b2e43bc0ddfacbce692999308dc1fea604f12ff9921dd3c48869

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36522\unicodedata.pyd

Filesize
884KB

MD5
c64714d47734c7a3572437bb943f7254

SHA1
ae5ce56a1417144c43cf89208a0707bb8f17ebbd

SHA256
e8fc82418021cf85634399f1ea959da6f4e1ecb7b5cab2306cbafe8cb3f79554

SHA512
ef76f3e523c5e8eebf382d2b61e715ae9a7036184a683263f32f137b72dd82533907f802660d3226ce669171f550c224551d70e62f263a1c26759fee2ff660b1

Download Submit