Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-09-2024 16:51
General
-
Target
d2668c20ed0b1df8b6a7929face687e5_JaffaCakes118.exe
-
Size
512KB
-
MD5
d2668c20ed0b1df8b6a7929face687e5
-
SHA1
142251ee0b37ee96b07cd477617c27d091595481
-
SHA256
d1aab6dfa1a45af81e2ef196e975a2fa9179e987ebec5ecf824a8d1cdbee4594
-
SHA512
235352d8c8bc4d31b5d7b17d36418aea560ee40b3dcc30f40ae0658d88d405f33b764283f2356c05d13cc80017db855c19d90ed2c606651e073719aaee833bf7
-
SSDEEP
6144:pJr2u3vc+qmw4GMQUYk5ffhC7qBT9qvhHYMVQSgt9uIYxC9RuAjlvXCx:X2QPqmw4G1qBT9MPVQfjLSEfs
Malware Config
Signatures
-
Kronos
-
Modifies security service 2 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d2668c20ed0b1df8b6a7929face687e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2668c20ed0b1df8b6a7929face687e5_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
532KB
-
Filesize
532KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
84KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
1.8MB
-
Filesize
20KB