c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe
Size

3.6MB
MD5

c7675ca1be07c1ece91bcc37ab552ec7
SHA1

6f14be3054a124acdff33805876a9bf821b74c74
SHA256

c9a87d68a65ade147208ac8a6d68297877f145285e3f3f40ec01ea8d562fadc9
SHA512

63e2de0470154a65cc31e2d8e83531de4db2c53b6881916bb575c2382e2e21cb2e10a72a7561df3cf2f8b5b4407f8201343d6f971df578999238cbb120b04505
SSDEEP

98304:UUIbT8TEV20PCjVh59plfSkoVVsbzNJpZZBD9AB9nPX:hIb27PfTfShvsbhbZZwBVv

Score

9^/10

credential_access discovery evasion spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Test.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Test.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Test.exe

Executes dropped EXE 5 IoCs

pid	Process
2880	Paradox-crypter.exe
2648	Çàðàáîòîê íà Forexe.exe
2464	2.exe
1188	1.exe
2604	Test.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	Test.exe

Loads dropped DLL 12 IoCs

pid	Process
2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe
2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe
2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe
2648	Çàðàáîòîê íà Forexe.exe
2648	Çàðàáîòîê íà Forexe.exe
2464	2.exe
2464	2.exe
1188	1.exe
1188	1.exe
2604	Test.exe
2604	Test.exe
2604	Test.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2604	Test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Çàðàáîòîê íà Forexe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paradox-crypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Test.exe

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016c7d-13.dat	nsis_installer_1
behavioral1/files/0x0007000000016c7d-13.dat	nsis_installer_2
behavioral1/files/0x00080000000172a7-29.dat	nsis_installer_1
behavioral1/files/0x00080000000172a7-29.dat	nsis_installer_2
behavioral1/files/0x0005000000019309-53.dat	nsis_installer_1
behavioral1/files/0x0005000000019309-53.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2604	Test.exe
2604	Test.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2880	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2880	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2880	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2880	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	30
PID 2752 wrote to memory of 2648	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2648	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2648	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	31
PID 2752 wrote to memory of 2648	2752	c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2464	2648	Çàðàáîòîê íà Forexe.exe	32
PID 2648 wrote to memory of 2464	2648	Çàðàáîòîê íà Forexe.exe	32
PID 2648 wrote to memory of 2464	2648	Çàðàáîòîê íà Forexe.exe	32
PID 2648 wrote to memory of 2464	2648	Çàðàáîòîê íà Forexe.exe	32
PID 2464 wrote to memory of 1188	2464	2.exe	33
PID 2464 wrote to memory of 1188	2464	2.exe	33
PID 2464 wrote to memory of 1188	2464	2.exe	33
PID 2464 wrote to memory of 1188	2464	2.exe	33
PID 1188 wrote to memory of 2604	1188	1.exe	34
PID 1188 wrote to memory of 2604	1188	1.exe	34
PID 1188 wrote to memory of 2604	1188	1.exe	34
PID 1188 wrote to memory of 2604	1188	1.exe	34

C:\Users\Admin\AppData\Local\Temp\c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7675ca1be07c1ece91bcc37ab552ec7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Roaming\1337\Paradox-crypter.exe
  "C:\Users\Admin\AppData\Roaming\1337\Paradox-crypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Roaming\1337\Çàðàáîòîê íà Forexe.exe
  "C:\Users\Admin\AppData\Roaming\1337\Çàðàáîòîê íà Forexe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Roaming\1337\2.exe
    "C:\Users\Admin\AppData\Roaming\1337\2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Users\Admin\AppData\Roaming\1337\1.exe
      "C:\Users\Admin\AppData\Roaming\1337\1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Users\Admin\AppData\Roaming\1337\Test.exe
        
        "C:\Users\Admin\AppData\Roaming\1337\Test.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1337\1.exe

Filesize
2.0MB

MD5
c6f1b27b6b65413942afeee03f13c12a

SHA1
d0c9b1b4409c0d4808dc30226463caa9da3a877a

SHA256
305ddcd4d976597f0f219c41a49749d87d7f45ff4578408d60921016b6d662ab

SHA512
585df1b3d6f6b95d79e214b88dced62acee6e9b7a547ee05ab1b2dcbcdb8de80dd8d2dd3dd9ef93964183930add2a594c4c664ee38eaed5e41fe57770f1954d0

Download Submit
C:\Users\Admin\AppData\Roaming\1337\2.exe

Filesize
2.4MB

MD5
bd029ebcf93372264841945ba91d0b26

SHA1
592a3da5fc92f7f92e4b7fd12ca4028f90f05762

SHA256
cf7074081335231a0c3c76a35ae1e6b252ad15e7424f1aa99b48e40835a71391

SHA512
b15e9cd5548c019d6d91fec665d89da2874785778cbdfdfdbf400b19019a3fae9f23f02a7e51a33d39e30fce05b88cc0ebd5221e627e153e04644370d8b09138

Download Submit
C:\Users\Admin\AppData\Roaming\1337\MSVCR100.dll

Filesize
740KB

MD5
0e8888aadab9669d06f55767f2ccaf7b

SHA1
4a1917b4fbda7705782216594fc912e41e76465a

SHA256
43af6d081b5ded0bd3b1b269719b3a63400da25a805d46d579c4dd2a77861ba1

SHA512
66aea1fb8e3e205ae336c0d4dfc8c7a0b635b2f58be893bae47c04e55c128cec2c95cd377fea5ea33befe86b3af7e9dbf35dedd5a9aa5a8bca8b2dbdc5e55ad7

Download Submit
C:\Users\Admin\AppData\Roaming\1337\sqlite3.dll

Filesize
831KB

MD5
2381ce4058796ca28666afe291b5ea29

SHA1
431f2ef403180b1924b1d0870ed99748e0627c73

SHA256
1e53a7b078d5451b95c92af3b0cfb5c01a9d6122b1e3218cf96b0e6fef0df11d

SHA512
83bc783703f156132d7b77265540e4e172784aafb65537338d1f95ec5f1a5dce94650c24d84a7c33d29941744ba55d267a42755bed92bd6ca5b9534dafca3cda

Download Submit
\Users\Admin\AppData\Local\Temp\nsd71E7.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Roaming\1337\Paradox-crypter.exe

Filesize
1.1MB

MD5
3baeaddf47c08c80ee3ee4435e98f60f

SHA1
1cab02faa6f8a2fab257599d831a89954a0c6cc2

SHA256
317cc90ab9037e2e4598abf3856e5f5b6729a40dccd9b3b99d621daab776ff76

SHA512
1b5b6a8465bc0d53abf8d549a2f6a11eb3cd2709485e0a99043f7069f3c04d968715b590b520d856eff42e5b3043b77a4311e99b5229b630e25a248f56163939

Download Submit
\Users\Admin\AppData\Roaming\1337\Test.exe

Filesize
1.6MB

MD5
a0b96dbbdeb12eff9630a2de7311e4eb

SHA1
4d75fbf0357122e513ec72b0552dd1e3d75119d3

SHA256
42db31d1ff1f8eed5938b3b3a220406267d103cc308ca4a26d7ab1120aa65848

SHA512
a44c8a27ce148585927fce6de67fec407a4081b5b3ed7cd9a69963fd06a2540807de5924683c804fc2086b3ef2ea86df40c7fdfcea71f380bd74ac6fe8dbc21f

Download Submit
\Users\Admin\AppData\Roaming\1337\libcurl.dll

Filesize
268KB

MD5
96b6090bf24e2899e01346c995bd401b

SHA1
0aa75b06f61f3ebc20c8dbf93235f10f20ec83cb

SHA256
4e4543d3925202e350acdb39eac4f31bb255b4f934ab09504d36bd3ca6319279

SHA512
2f17052ecf0448994a7888c78f6121f0d104f8aa35cea568a9993cee6db4cd8c3aa4421dd7e7a940bfe5b0f2c65d22db046daccc354118a7045c763097965014

Download Submit
\Users\Admin\AppData\Roaming\1337\Çàðàáîòîê íà Forexe.exe

Filesize
2.6MB

MD5
747f22287c0f2ba22b1f08ae45375238

SHA1
16a823ec4b69210d10cddfc1f44fe3dd866e0dfe

SHA256
a372f4b5a1f263b1f2f2e234671acd55ed587bb7d81632747d5cc77eaf854585

SHA512
e2ac63baa7c666db8d0a191dd80d3bd47c3b0ff42f2e57aee62073fc180853078220a552eb46eb765e14a3e4cece379b757ff66b1e41e816abd1efaa38164f99

Download Submit
memory/2604-87-0x0000000001050000-0x000000000141C000-memory.dmp

Filesize
3.8MB

Download
memory/2604-74-0x0000000001050000-0x000000000141C000-memory.dmp

Filesize
3.8MB

Download
memory/2880-28-0x0000000004D30000-0x0000000004E58000-memory.dmp

Filesize
1.2MB

Download
memory/2880-57-0x0000000005140000-0x0000000005238000-memory.dmp

Filesize
992KB

Download
memory/2880-47-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2880-39-0x0000000004B20000-0x0000000004C46000-memory.dmp

Filesize
1.1MB

Download
memory/2880-31-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2880-21-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2880-88-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2880-89-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download