a860f0dc3d18d1e6fc0fa316cc363c23832868425d8489fcc1e443de19d864f8

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
Size

2.8MB
MD5

d53e1fd335365b1ef134d07eb861c402
SHA1

5d6616769a256a3b6cfcb242a8522157b8874d60
SHA256

a860f0dc3d18d1e6fc0fa316cc363c23832868425d8489fcc1e443de19d864f8
SHA512

d7cb5eac5d64b2e63af2d199c428e8d9bd3450e78910e6ef181a9e3a8e637e763a363da448f1eae07ed9b1567b3f41585999517d6743ead13a4f4d5b586a1711
SSDEEP

49152:OJgd73Il7j/h+n1qB3qKXhnbyMMku5vEFTyfvIdFo37mGGRIWpZ:b2/hQV+hnBM7E0fw8mDRbpZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2532	ANTILAG.EXE
1644	ANTILAG_SETUP.EXE
2744	is-U20DN.tmp

Loads dropped DLL 3 IoCs

pid	Process
1644	ANTILAG_SETUP.EXE
2744	is-U20DN.tmp
2744	is-U20DN.tmp

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANTILAG_SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-U20DN.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANTILAG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2532	ANTILAG.EXE
2532	ANTILAG.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2744	is-U20DN.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	ANTILAG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 1984 wrote to memory of 2916	1984	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2532	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2532	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2532	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2532	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 2916 wrote to memory of 1644	2916	d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe	32
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33
PID 1644 wrote to memory of 2744	1644	ANTILAG_SETUP.EXE	33

C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d53e1fd335365b1ef134d07eb861c402_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\ANTILAG.EXE
    "C:\ANTILAG.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\ANTILAG_SETUP.EXE
    "C:\ANTILAG_SETUP.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\is-GPIAB.tmp\is-U20DN.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GPIAB.tmp\is-U20DN.tmp" /SL4 $70150 "C:\ANTILAG_SETUP.EXE" 558287 188928
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ANTILAG.EXE

Filesize
31KB

MD5
406a199cb8e3f2a56fedbc6a47e12685

SHA1
ebf91f67d7f6058b798970f777fe4298e1751f8f

SHA256
beaead6b3de120eb0e813f8ee5151d3ca35158e86160ca6c284aa5e523d56458

SHA512
82a586e1312a496a0b7e0d59a05478a32dbb386aec98975e94308f0534bc5234e61997f4d81567be50181b8523d8604db9ab606de6c24b3cefdd66869a96dda9

Download Submit
C:\ANTILAG_SETUP.EXE

Filesize
816KB

MD5
1ed9814430fbc71dcd945e5b301869b2

SHA1
f1321b86961236ef2ee784d6e7d3458c626cdd71

SHA256
2330449f8c4078af0055678bcff93119cd14468862d7b9ac028dc1c3f6bef466

SHA512
81f191bcd10420a3e7c07119bc8d773c23a2dac5407dc3a07cdaaa08cb4ec61c4398aa892f9f116c39b5dacf1df0de07febf11368f4e49556d57afdea06ece92

Download Submit
\Users\Admin\AppData\Local\Temp\is-GPIAB.tmp\is-U20DN.tmp

Filesize
786KB

MD5
fc10aac848e111b8d7638c259f36b772

SHA1
036f95dc3ce96047b27137b8a0a4149aebc549b2

SHA256
9ed0d7858b59ca6d7261ae10c5127feaf384e87556fd2f7329c1768fffa682fe

SHA512
be795088394d843685aa3106e0171054a141c1a300a399fc1be9ebdeb36cbc73d866f2251fc56525b93e5ce11c601a5af680ab7eb7f113f4c15a542ea72668d7

Download Submit
\Users\Admin\AppData\Local\Temp\is-TGELI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1644-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-45-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2532-60-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/2532-59-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2532-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2532-34-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/2744-62-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2916-10-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-8-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-2-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-31-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/2916-6-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-30-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/2916-4-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-23-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-14-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-41-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-12-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-18-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-21-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-20-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2916-19-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download