450a5243fbb6988b98717429de9b5b756a50212e38c218ba7984bf237de4bd63

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
Size

271KB
MD5

d117a75095be71e7c5feb00118a4b212
SHA1

11705700db56239779f20077b9197987c17c1590
SHA256

450a5243fbb6988b98717429de9b5b756a50212e38c218ba7984bf237de4bd63
SHA512

35432c5d20260043ba94c35e93adb1a0c907a11c1995d3f545490f71a711e9e39adfad62897323e9ae8d84619f160ee2fe66a71fb9ce795b27a1f24104767166
SSDEEP

6144:BtfDwsjPThT5zL2e6FJph/ox1M7JtLLpSVurRuTb2syNcGJ:B5hVxekqtLLpFRuH2sy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2284	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	Logo1_.exe
2652	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1A1CC958-2235-4531-8015-5AFE1D6CBF7D}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sidebar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
File created	C:\Windows\virDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe
2060	Logo1_.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2284	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2284	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2284	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2284	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	30
PID 2172 wrote to memory of 2060	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2060	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2060	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	31
PID 2172 wrote to memory of 2060	2172	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	31
PID 2060 wrote to memory of 1192	2060	Logo1_.exe	21
PID 2060 wrote to memory of 1192	2060	Logo1_.exe	21
PID 2284 wrote to memory of 2652	2284	cmd.exe	33
PID 2284 wrote to memory of 2652	2284	cmd.exe	33
PID 2284 wrote to memory of 2652	2284	cmd.exe	33
PID 2284 wrote to memory of 2652	2284	cmd.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a59C.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2652
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a59C.bat

Filesize
613B

MD5
b430da4101502361d4a41f7212204b28

SHA1
21bb61406b5b333dfb8457c278dea3c599294e47

SHA256
3b8c7b2cdfbec6ee9574baac8fa518e2472f5a7070ac5d8cc77cb72ec7ec4c4c

SHA512
564fa280135ff7679f56ef760c81ed011cfb751d847657ec91a71d6fc0bd7789b476f6b3c4a0963cd32098d431c6c844ab6b938ebe7d6a0e3bcad59445d9b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe.exe

Filesize
212KB

MD5
21c7ce3814a6cdba5d2d8812aea6f909

SHA1
5462eba362318bdbd26ce3a40e2684b5458a7447

SHA256
033ddec6292fde9d6a100f69b9945b30d168ca968a738b6f5d845f5d3b4c3040

SHA512
8f2eb3b7e3f9568d1d57b11ffd6a6bc8efc0e03bbff90911ce5614d4efc2e02da41f97ae55b7404081adabd82fdd5c5d0f34c49caaee678c031c1ee3f15ce53e

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
1be8dfcde4662db74c0bc4f7a2673724

SHA1
64b10f8cebda45de401e89f3c6cf1b144d9d02ef

SHA256
5b3f69185e6948045ca979624265e249bce2b0d4b5fe3a036f0db44c9f181a15

SHA512
fad9efc85c0c0a17fc794ac5dfe05efdf40ab10afcc1448c59d1a144bc326af5357068160ff673a7614a2bb07e29a7d406a85efe983e0b9c4839728cf8ce714e

Download Submit
memory/1192-19-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2060-241-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2172-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download