Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
10-09-2024 18:26
General
-
Target
d8cbec4b3e65277a3e0d5379eb741ad0_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
d8cbec4b3e65277a3e0d5379eb741ad0
-
SHA1
5f3d45113f3b204de3501f22f0eae991ed392bb1
-
SHA256
af2cadaaaa720be13535c0409238c6b7b73e256064ce57c3120f58f32aaf2538
-
SHA512
2299a75241d09cd659111ba5d7ccdaf4a92b43ff93684934261bc2120dece89022fbf7d7bfc98a571677156743095ebc4c6955478058a4195e2018c0fe1a7037
-
SSDEEP
49152:/Rivo7pW5BOLro1Zj5ajB0IG6xLfPK7/gnizytn7O+kYvAT4QUD0ldgcu:/yhOLkajB31xTK74Cz+kYc4Q2YKc
Malware Config
Extracted
Protocol: smtp- Host:
mail.gmx.net - Port:
587 - Username:
[email protected] - Password:
yk;2]jNfT"&f=YH'/Q_}
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 10 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8cbec4b3e65277a3e0d5379eb741ad0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d8cbec4b3e65277a3e0d5379eb741ad0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BAKJFX\EEO.exe"C:\ProgramData\BAKJFX\EEO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\hklgs.exe"C:\Users\Admin\AppData\Local\Temp\hklgs.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1845⤵
- Loads dropped DLL
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 1885⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5520 -ip 55201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5520 -ip 55201⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD582ccf210ed88362657e0f039fcbafe13
SHA19311381e7ae10811aaae96d895691dc6181cadc1
SHA2560727194f4bb695a4b693064a3259d6dc83c83a72a724557d0c02258e7eb327a2
SHA512ef01a24007ce1486af1f7cd0c83c0070a5ffc2ef8a1cb7f54c248d1c7cbebee1c920e65b88e931b121eb8c2899f1703ea68d44b2bedd191c688e1782fd0712d7
-
Filesize
79KB
MD519d764600a077d7cd8fea1121783455b
SHA196a7933f0fc74b05cf483c08f622dddd44fddc85
SHA256ceb26c00299f3789dc0482af176b3b25fd0f0128eba3b0bdd1afc2231da48007
SHA5121183878224418d9c3a33dc51a5f0c335c05135006b56f2bd9fb7798dddc482cd999dad56344b20cb251fb1c4e8ddbaa00d562235a453bf17f3f8ebe022535825
-
Filesize
2.6MB
MD5febed93b7b98841b06b361229d10780c
SHA1a1fbfccdbf5b797f812331b4f75e8cd8cd4e2054
SHA256bcfc9f2bb4bcc84b13cdc8136fad7c093e86c0a672a0c76d64ffb96b27ea77ae
SHA5127519ca500d54516ad3e1d6953ee78e2446cb196b9ea39426d4d25bb863ae29ba1eddc5c0cdf5016da137afc835a12a15e6272460d5fa89e93f4286b268d205fe
-
Filesize
451B
MD502a584f4fbed99a659b91303e236481b
SHA162e912e7f8ae57bba24dcea5fa261d4f92608493
SHA256b49cd1bf25a6d26f0219e577ce862aa7e268b168bdae7f1114c8f230d6b97c82
SHA512b08356732fd3c3f9cc00e48f9f993d7c01a755eb4894336562c89cd83d0428638ac1323923d799bc6bb87ee7a2629e14b0e2b9ca2393abe54f0177affc7beaf6
-
Filesize
1KB
MD52356ec7ba4e021ca2e60907d1c3b477a
SHA1176856da384c871183198cc6cc4305a81bdb517a
SHA256657ca27ac2a5e5f248bb26312cc4d1c4e0331b3e66c41e6dafcda6f42fb60ede
SHA512c4aa78b922d7a606a0cdd7932b8ed73820559d1d51bcce4e23e4b39c4615302b377bb3ca5a763a87323cc20f704ed75dc5aedc0cef2deae92fb1915a8533847c
-
Filesize
43B
MD547fa64f23994c73a0042890c12e14859
SHA1cbb5496b8211b23768ad5adbc53f6a415335e7bc
SHA256f23eb29db3791783804986fe1cdc40a361781b0b3b04a7477e69bc607a5f30b6
SHA512f9d6430ccc5be0c7e345b2a75721dfb44eddeced6a704a1cd46926b1102b3510d2fab7ba0d02ee5a688943598b7cf8adaa389d54ea6044178713da0c7ca3615e
-
Filesize
640KB
MD578935a98c91ddc761140986d5cf593ad
SHA16fbd31bad45f91bfcd69f43c352562f0fdb1a396
SHA2561c41163af8211371b9e677ab814e9cfcb2b70fa041a68b86096675bab20811a9
SHA5120e554aa52f408cc41b72c89bef3f18505e6106633b23777fa4c4a48f2c3adb733ff05415b6646362a9459cd18b493b11c8e1fe512fea24c21015ec41fbcd6ada
-
Filesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
5.7MB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
5.7MB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
5.7MB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB