Overview

overview

7

Static

static

3

d688a34044...18.exe

windows7-x64

7

d688a34044...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 14:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d688a340441d370588dd0faf0c528976_JaffaCakes118.exe

  • Size

    406KB

  • MD5

    d688a340441d370588dd0faf0c528976

  • SHA1

    3d5f6ab68517fcb4bf29daea374062cdc1089edf

  • SHA256

    fd3930ade2ad5f3d7ce6d0a89cfb934e07c18090679904dcb068d790c559170d

  • SHA512

    b6e1d230affd24ad95623a87443a07fe37a1beb7386c5514a45bfbf0294da38b63c6d06336739c3c9e0537d3a8b350a65f75c0017ee8c27e65742055aa750fb5

  • SSDEEP

    12288:itxqBTfXKy/TNxDvb3NbIsnlpRkIg8jZMkIqWM1E56:exW/ZTLrrJkKMdqWMi56

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d688a340441d370588dd0faf0c528976_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d688a340441d370588dd0faf0c528976_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Users\Admin\AppData\Local\Temp\eqs9AB9.tmp
      "C:\Users\Admin\AppData\Local\Temp\d688a340441d370588dd0faf0c528976_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 176
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2872

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
          Filesize

          291KB

          MD5

          bf0ffd0ae568300617bad1a389911b56

          SHA1

          3030d601629504b6e1d45c557690b24a787227ec

          SHA256

          0801299895ea96621ca67dbb2f602fbada6dbf471591084358fb59f99e237a88

          SHA512

          9095c9b4380a7b6fab5de1d267a9439450a32e4472ea61aa0e26e9611cdff5431d6bbdb0bf0ecda6423b74fcf3e09dd2b6264e6500b0269a6ac919c4fb28506d

          Download Submit

        • C:\Program Files\7-Zip\RCXEF74.tmp
          Filesize

          12KB

          MD5

          aa08e94834828337c60c23d63ec8af5f

          SHA1

          9e23ab8f4a5075614274b5a10530149e2260560d

          SHA256

          e5698ffda00cbfdc03b674fd751ba062436a474ebfa7214977d3795796e9da5a

          SHA512

          732763151c65a865c811b6dc2e0d9a9cceeb2d0e800950110d75f9e8c143fe74ee15da2c629762ef98c130dc264a188bd33396f71255e2f0489f5ea7ec8baf12

          Download Submit

        • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXFC43.tmp
          Filesize

          16KB

          MD5

          9214178779d1764b1b26ec36211ca00e

          SHA1

          d36e4a3a2d7a5f47ff6e7c55984c5231f4123acb

          SHA256

          cf13da778562ddaf32cb3915fef8fb0a9a4ae90318cf8a3782c8f360f195a9ad

          SHA512

          edcb4d717fa0dbb0d28709a38653b658f72e6107d8b5dd99db87b4142b8f9fd38d27cd21ae18c7837b7b36096a955317df52248a07c477b84f4c69a2b5514235

          Download Submit

        • \Users\Admin\AppData\Local\Temp\eqs9AB9.tmp
          Filesize

          333KB

          MD5

          9ccd7d633b58589c239aea2d0b10b77c

          SHA1

          216ac8951c272f3b2fa78a4d5fe074ac4c6922cf

          SHA256

          dd7747c5eb6c943bfd3dd5f773a020e71299928b4738db9b0495e01be554e417

          SHA512

          8370b34cbb04548e21628ce3ec96a1364d13194549aea545d1f8140536289b8cbdd31dea96f3c5eda72353b49fb784612fede2c194d5c6cbb84851cf6bc50c90

          Download Submit

        • memory/1696-8-0x0000000002D70000-0x0000000002EC6000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2376-9-0x0000000000400000-0x0000000000556000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2376-10-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2376-18-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2376-19-0x0000000000400000-0x0000000000556000-memory.dmp

          Filesize

          1.3MB

          Download