Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 23:42

General

  • Target

    d7488d904f5e9ff786bde969c68b9c72_JaffaCakes118.exe

  • Size

    154KB

  • MD5

    d7488d904f5e9ff786bde969c68b9c72

  • SHA1

    3c6cce8aaa55b1715cf8188e49684c0cde89297b

  • SHA256

    639f06203eb816f2b4ca16d8ad0cc22cb5b2954b39dd47d259b5cbd7985413b1

  • SHA512

    4e41585fd9c11ce0557522dc47a3459fe91558d028e3885c0193a6f3a42afab7fbdb5b1b163e084efb4abadf14277e03b1fd18f4eaa2ad106865e5b07c32310e

  • SSDEEP

    3072:DrAVguiZxHF02SOacgAf+9mzB7y7YRguXt:DWgVZ1vGAfL1X

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7488d904f5e9ff786bde969c68b9c72_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d7488d904f5e9ff786bde969c68b9c72_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\updBC0F.tmp
      "C:\Users\Admin\AppData\Local\Temp\updBC0F.tmp" --bpl="eyJpbnN0YWxsX3VybCI6ICJodHRwczovL2dvc29mdGRsLm1haWwucnUvc3dpdGNoZXJfcGRfM185LmV4ZSIsICJjb21tYW5kX2xpbmUiOiAiIiwgInRzIjogMTU0NTA2NzIwMiwgImNsaV92ZXIiOiAyLCAicXVlcnlfc3RyaW5nIjogInBhcnRuZXJpZD03ODkyNjMmdWFfcmZyPTEyOTczXzc4OTI2MyZhbV9kZWZhdWx0PTEmYW1pZ29faW5zdGFsbD0xJnBhcnRuZXJfbmV3X3VybD1odHRwJTNBJTJGJTJGc2V0c3RhdC5ydSUyRmFwaSUyRnNhdmVQb3N0YmFjayUzRnRva2VuJTNEWndxcndHZ2RDRCUyNnR5cGUlM0RyX25ld19ydS5leGUiLCAibG9jYXRpb25faWQiOiAibGFuZF9wYXJ0bmVyIn0="
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Mail.Ru\Id

    Filesize

    38B

    MD5

    ea293a86df76c1b03002cada5cf05f83

    SHA1

    8b0a92a93bb7810aaab24aebca076d96e2c0e5ff

    SHA256

    685d658f46ad41ccf04dc87de7bb025c8a0453d79bc8e43d6658f3b2ae55fadb

    SHA512

    37e6725fd1e65dbad4678533e3a2a8d61cdf16da38beefff263b38220d1de5d45009b8cb79bdf53f819b3201a3847259e2cc79a9807f6606db0e3834e15906c6

  • \Users\Admin\AppData\Local\Temp\updBC0F.tmp

    Filesize

    1.9MB

    MD5

    59ec4314e2a54053778d3862368d639c

    SHA1

    a6e7e4383d2a49460f90f46d81bf31260fb71a50

    SHA256

    8dca302c817de6eab1783ed87139cbe2c0da2be2ccc077cabac12ac3237dab91

    SHA512

    48ec36e24c66df5951a35ff366aa80b70aef005119438e1a97dcc81b21e726a4f1eb7e9000026a75811e1fd7ef51255df28647b30140d136af223acf4e968834