Overview

overview

10

Static

static

3

cfda42008f...18.exe

windows7-x64

10

cfda42008f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfda42008fbc405156cdf34a1bbb898e_JaffaCakes118.exe

  • Size

    260KB

  • MD5

    cfda42008fbc405156cdf34a1bbb898e

  • SHA1

    0c97879e3593938722d3e327b5dccf15c0bb379b

  • SHA256

    b1ed0f1ec41e1fc618ddb9487fb2352f0fa4e50135f128939d267c0565e7b65b

  • SHA512

    42d4a02861bab73f61e8b31e646afadfcfe830e560444bcdab9c3860cabb8707332dc5254ee103d05b3da6e37d2b66d95889427c2371e6d4cc023db2392fbfdf

  • SSDEEP

    6144:ejEDyVUtKq9o8BC2N6tdTTTbfxXuzJwGhrBN+v:FmVUtKq9o8BC2N6tdTTTbfxwmGhrDy

Score
10/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 20 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfda42008fbc405156cdf34a1bbb898e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cfda42008fbc405156cdf34a1bbb898e_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Program Files\Common Files\svchost.exe
      "C:\Program Files\Common Files\svchost.exe" -s
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ipconfig /all >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2680
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c set >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c systeminfo >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:5000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c netstat -na >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -na
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir C:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3976
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir D:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir E:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4972
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir F:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1704
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir G:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir H:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir I:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:716
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir J:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir K:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4200
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir L:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir M:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3872
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir N:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4988
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir O:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3736
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir P:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir Q:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir R:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:776
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir S:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4892
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir T:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir U:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2144
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir V:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4688
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir W:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir X:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4600
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c dir Y:\ /s >> C:\Users\Admin\AppData\Local\Temp\alldetails.txt
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\svchost.exe
    Filesize

    260KB

    MD5

    cfda42008fbc405156cdf34a1bbb898e

    SHA1

    0c97879e3593938722d3e327b5dccf15c0bb379b

    SHA256

    b1ed0f1ec41e1fc618ddb9487fb2352f0fa4e50135f128939d267c0565e7b65b

    SHA512

    42d4a02861bab73f61e8b31e646afadfcfe830e560444bcdab9c3860cabb8707332dc5254ee103d05b3da6e37d2b66d95889427c2371e6d4cc023db2392fbfdf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    Filesize

    2KB

    MD5

    e8b3dbdb0517d89c2853e61bd6734e8c

    SHA1

    2d71b03a9a4bdd2dcd835a2af53e40570c27640d

    SHA256

    a8b7aab58572b73271aacadfa140b30d2a549a60d99171b71083521f9ba8aec5

    SHA512

    5a206e8956d650a1623f1d241dae91d7df99b5eb986a1bded373040599031e2ef4ff39fbf714890af070b42e9a12e35f3b1574044b8e74fc4fb3492efae56a86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    Filesize

    4KB

    MD5

    7c3371a8fe771387180f258c250f0c92

    SHA1

    c65c7e3717febc80eacd380701ab74082bb568c0

    SHA256

    cfa15d183c88de9e1e4afb657b8ad742684a7945e8f4e8dadbc715838f9aa0df

    SHA512

    d4e2f4889bb1ed368adf43fb241ce60d6dd043f93627976c4e143b4d1d0ee213923825d503655455a71fd4347d7c6b225c59c1ed1935e319e891bdc278f3874f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    Filesize

    7KB

    MD5

    710b6c3ddb1d8bdf08217034fa0f4aa2

    SHA1

    63586571982343004fec0ce9b357cd7cd1408ef0

    SHA256

    ecf15098a42cef2d227f19db468dd762b5ed266b940f07fcddd4da0fdf7b45ee

    SHA512

    36a3ebece9bbe3736e3da6f8ed6472666e5e754f836030fbe31b221218c87d1503530c499bd2f06a670690596c1c8d090a3179aae3c0c1865cb3cbd4c965ed6d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\alldetails.txt
    Filesize

    37.3MB

    MD5

    f8ff1c840a65283dd7a554f498807d0b

    SHA1

    f052468f05e001456107e18511f8bd287df9f7c0

    SHA256

    00e428401c60ccb4060ca1e30eb13d67ff685f28da814585b5e567fee2401e18

    SHA512

    ceb52e23b2fa47524d4b38a0f8ed9a5757d8b4873dd737ff1d32bbca6ca27f8569bed16c4a5d8e57a9253ef40f9b95c6bb46cf777733221c490b9932cc55093d

    Download Submit

  • C:\Windows\drive.ini
    Filesize

    50B

    MD5

    795275950d882f2c51a5d39b93e4ed9f

    SHA1

    91b406f2b080334d9a6e0c4709329e4538619ed9

    SHA256

    823f82b94dd36372d648eeb1471293bff3c7e30528bf0dc938fa5ea61a804268

    SHA512

    450bb4f536dbc186526e9ae896140f890415d759231fa311d38242951f9ea98ba2a70e2dae3abb27dc098ad3d6eb6f2c497b08f54f3550f5df6b4e19e9be6081

    Download Submit

  • C:\Windows\log\20240906152830.cab.bak
    Filesize

    4.0MB

    MD5

    b78aebb039df263b8ca0ebff6c337a7f

    SHA1

    b383e3e176abfa431e0ccc012bae8ade575caf4f

    SHA256

    9bc9c3cdef143b6957fde33a0bd9bf5b630ef7f02ede6d607727d5c0f672784a

    SHA512

    db4f8aec1d4b9132eec472bcb69db271ca96f8c0b530f490ba139a531c2e63a6f347862cc926c09011324bd7ca8aa9fbcee0a311b3e02a1136790f9f48211daf

    Download Submit

  • memory/1240-0-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/1240-5-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2228-42-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download