450a5243fbb6988b98717429de9b5b756a50212e38c218ba7984bf237de4bd63

Analysis

max time kernel
149s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
Size

271KB
MD5

d117a75095be71e7c5feb00118a4b212
SHA1

11705700db56239779f20077b9197987c17c1590
SHA256

450a5243fbb6988b98717429de9b5b756a50212e38c218ba7984bf237de4bd63
SHA512

35432c5d20260043ba94c35e93adb1a0c907a11c1995d3f545490f71a711e9e39adfad62897323e9ae8d84619f160ee2fe66a71fb9ce795b27a1f24104767166
SSDEEP

6144:BtfDwsjPThT5zL2e6FJph/ox1M7JtLLpSVurRuTb2syNcGJ:B5hVxekqtLLpFRuH2sy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1984	Logo1_.exe
4516	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\virDll.dll	Logo1_.exe
File created	C:\Windows\Logo1_.exe	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe
1984	Logo1_.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3992	4840	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3992	4840	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	83
PID 4840 wrote to memory of 3992	4840	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	83
PID 4840 wrote to memory of 1984	4840	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	84
PID 4840 wrote to memory of 1984	4840	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	84
PID 4840 wrote to memory of 1984	4840	d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe	84
PID 1984 wrote to memory of 3536	1984	Logo1_.exe	56
PID 1984 wrote to memory of 3536	1984	Logo1_.exe	56
PID 3992 wrote to memory of 4516	3992	cmd.exe	87
PID 3992 wrote to memory of 4516	3992	cmd.exe	87
PID 3992 wrote to memory of 4516	3992	cmd.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a98A6.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4516
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
742KB

MD5
3162fb7747bb4518140f0918ec8075f1

SHA1
6412205a42e149295c5b46f830bffae13b6472ae

SHA256
99806ad67134ccda19b492e8dcb173be879f5f255bb03b50b4be774c704e83a3

SHA512
c5b4093c772bc783ea53fd690896e8a7f80574b14581cd3d1b378c0fb8bada08a0f80bd7358bd6e88ad4c7e7cbee7c7d53ac940d1259dbce0e4705a2ed7a39cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a98A6.bat

Filesize
614B

MD5
2dfbae3ac8506c37fb3fb38d7c603d2a

SHA1
4c7f8ce7ce1791ca9731b37439a325de5e706f4b

SHA256
b34b52d5a1d01e81a2c180aae4ad5d038b7e2015f35ddaf838abd9dadb2224bf

SHA512
ddbf8196b5c6423ef23dfc0dc9f30330b141794def02e318e4235896afe4ecabbb3ce09cd28b909001d1c610b4631e029c612b39d895c6f824a4117b42c48823

Download Submit
C:\Users\Admin\AppData\Local\Temp\d117a75095be71e7c5feb00118a4b212_JaffaCakes118.exe.exe

Filesize
212KB

MD5
21c7ce3814a6cdba5d2d8812aea6f909

SHA1
5462eba362318bdbd26ce3a40e2684b5458a7447

SHA256
033ddec6292fde9d6a100f69b9945b30d168ca968a738b6f5d845f5d3b4c3040

SHA512
8f2eb3b7e3f9568d1d57b11ffd6a6bc8efc0e03bbff90911ce5614d4efc2e02da41f97ae55b7404081adabd82fdd5c5d0f34c49caaee678c031c1ee3f15ce53e

Download Submit
C:\Windows\Logo1_.exe

Filesize
58KB

MD5
1be8dfcde4662db74c0bc4f7a2673724

SHA1
64b10f8cebda45de401e89f3c6cf1b144d9d02ef

SHA256
5b3f69185e6948045ca979624265e249bce2b0d4b5fe3a036f0db44c9f181a15

SHA512
fad9efc85c0c0a17fc794ac5dfe05efdf40ab10afcc1448c59d1a144bc326af5357068160ff673a7614a2bb07e29a7d406a85efe983e0b9c4839728cf8ce714e

Download Submit
memory/1984-220-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4840-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download