Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 20:35
Static task
static1
Behavioral task
behavioral1
Sample
d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe
-
Size
505KB
-
MD5
d2c992a41fdddb48ba5502d1fb1f40fe
-
SHA1
3b0142b2961e6b2ef098c6e904648908127a3385
-
SHA256
3beddcd230bc851446d1b6e8e612ab3809bb0c7cc252a3a896befffc762ae2ad
-
SHA512
00067ce97d587ee9acf742b2a0fdda5a33584cd1f6632b3c64a4bae781abe15b567d03299e8655d230672490ed6e5cd52489e058d94befa7f0c8802180d20ca4
-
SSDEEP
6144:XJfbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9C5I:ZfQtqB5urTIoYWBQk1E+VF9mOx9p
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
[email protected] - Password:
poppop89
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3596-8-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3596-10-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3596-11-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3596-13-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/5028-18-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5028-20-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5028-21-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral2/memory/5028-29-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3596-8-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3596-10-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3596-11-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3596-13-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/5028-18-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5028-20-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5028-21-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral2/memory/5028-29-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 whatismyipaddress.com 9 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 744 set thread context of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 set thread context of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 5028 vbc.exe 5028 vbc.exe 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 3596 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 89 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94 PID 744 wrote to memory of 5028 744 d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d2c992a41fdddb48ba5502d1fb1f40fe_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196