Overview

overview

9

Static

static

7

d99603df62...18.exe

windows7-x64

9

d99603df62...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d99603df6276af9b8e6b21bf4d4625e6_JaffaCakes118.exe

  • Size

    85KB

  • MD5

    d99603df6276af9b8e6b21bf4d4625e6

  • SHA1

    39e25b80973744f8333ef85bdff20d19177944f8

  • SHA256

    5b7963bb99af42f79ebc4705a65d5590ad9ee2998f9f397ccc4d99b9d7170dc6

  • SHA512

    274c55ef7263e6c07fa39245321559375f6fec9dac913b931f01086842bd5e74bb3930f8b2a76a9b6a2f669bdec7a92cfcaae0881ff2cdb542c6dc695f0cd0bd

  • SSDEEP

    1536:LsbfBRMHtvrNo0S6CW+/jvuqbY3bqKU7oL8zaM0VpEDV7/0Mp:4bfBR0azDrmF3bqt7oL8D5

Score
9/10
credential_accessdiscoverypersistencespywarestealerupx

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops file in Drivers directory 22 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d99603df6276af9b8e6b21bf4d4625e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d99603df6276af9b8e6b21bf4d4625e6_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Drops startup file
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    PID:4508
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
    1⤵
      PID:1096
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1728
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2984
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
      1⤵
        PID:3796

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials from Password Stores

      2
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Windows Credential Manager

      1
      T1555.004

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\JP7UZJJW\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        cab6fafe0d3c06cbf908de740ff71099

        SHA1

        3ee65028bc7b54d554d31794784cc8becb79fcbb

        SHA256

        56d3d18ab20b8c8b92deade6bd8088ff8283a17da5d762f1081aa2a66ceeb359

        SHA512

        280383d0bb098463b1524f929f744842889cd11492affd00f4df9c4f735d074a935cc344b2293c696639d12c7684ef51897027ee8cd58124d66024908e673f5e

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8edca5db-df5b-4545-9b3c-98cd7ff950d3}\0.0.filtertrie.intermediate.txt
        Filesize

        1KB

        MD5

        9913dee3ab28ad6ebd60b930d6ee8da3

        SHA1

        6e6327df9f85d9037d83a4f537f32541f46a1dbc

        SHA256

        3bfac338a56813338b62dba88261ff9b1aa7e505af5f7a50ab9960a35f6ed5e4

        SHA512

        e7dead4ccbd7468e7d3d1cc930be40bc5fa0a881b406318bd56346b27651c3a58611c086b369de641f058af5748fa02eb5e02b9f482ff2443d2fbf442c04188d

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8edca5db-df5b-4545-9b3c-98cd7ff950d3}\0.1.filtertrie.intermediate.txt
        Filesize

        5B

        MD5

        34bd1dfb9f72cf4f86e6df6da0a9e49a

        SHA1

        5f96d66f33c81c0b10df2128d3860e3cb7e89563

        SHA256

        8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

        SHA512

        e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8edca5db-df5b-4545-9b3c-98cd7ff950d3}\0.2.filtertrie.intermediate.txt
        Filesize

        5B

        MD5

        c204e9faaf8565ad333828beff2d786e

        SHA1

        7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

        SHA256

        d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

        SHA512

        e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8edca5db-df5b-4545-9b3c-98cd7ff950d3}\Apps.ft
        Filesize

        2KB

        MD5

        ae92d8e34c6863d31010632e1472cd7e

        SHA1

        b6a286b8bc20d4b8fa1b29d234d71a89d696de9a

        SHA256

        ed6fdb649852ae050e65b42f4b2f0151f06aeb57f58aee36818fd6925ce1e217

        SHA512

        589e9ee259b2efe4cd4d94307075850274d324ba4232d2870ba4bf8fc570ad0b2d9b9ba1ea31f9aa81615b144c61418c6d09d6b24200a5d16b01eb36450e5eab

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8edca5db-df5b-4545-9b3c-98cd7ff950d3}\Apps.index
        Filesize

        881KB

        MD5

        832fb9cd22b122f6c9d68f9f4fcc3424

        SHA1

        d398a299d12f6aeb005c724d1abd62edebabbac3

        SHA256

        e439f475eb0b32c6dfc9fc485c979b3e15126b54995e2ff9719bc4aa1910339a

        SHA512

        ba9e934a0880d09c4675d012215001feb282beca68d6c9885caaaabb31d6d3ef32bfb0d48cc9132bb977eee64ade2245fba29c6d5878e9dc9d3c740268d47922

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{18c0dc2b-8808-42d4-8db3-b1388ad38400}\apps.csg
        Filesize

        444B

        MD5

        5475132f1c603298967f332dc9ffb864

        SHA1

        4749174f29f34c7d75979c25f31d79774a49ea46

        SHA256

        0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

        SHA512

        54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{18c0dc2b-8808-42d4-8db3-b1388ad38400}\apps.schema
        Filesize

        150B

        MD5

        1659677c45c49a78f33551da43494005

        SHA1

        ae588ef3c9ea7839be032ab4323e04bc260d9387

        SHA256

        5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

        SHA512

        740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{18c0dc2b-8808-42d4-8db3-b1388ad38400}\appsconversions.txt
        Filesize

        1.4MB

        MD5

        2bef0e21ceb249ffb5f123c1e5bd0292

        SHA1

        86877a464a0739114e45242b9d427e368ebcc02c

        SHA256

        8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

        SHA512

        f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{18c0dc2b-8808-42d4-8db3-b1388ad38400}\appsglobals.txt
        Filesize

        343KB

        MD5

        931b27b3ec2c5e9f29439fba87ec0dc9

        SHA1

        dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

        SHA256

        541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

        SHA512

        4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{18c0dc2b-8808-42d4-8db3-b1388ad38400}\appssynonyms.txt
        Filesize

        237KB

        MD5

        06a69ad411292eca66697dc17898e653

        SHA1

        fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

        SHA256

        2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

        SHA512

        ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133705014662398623.txt
        Filesize

        2KB

        MD5

        ecaea544af9da1114077b951d8cb520d

        SHA1

        5820b2d71e7b2543cf1804eb91716c4e9f732fde

        SHA256

        9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

        SHA512

        dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
        Filesize

        200KB

        MD5

        9bc0bd1ed78e637684d95cdfd12fb10f

        SHA1

        7855fce054a32fa5717192479327892cd1a8d882

        SHA256

        0b05381dbd56f3679bb3907fdcc91784e83ee73ff19824438e65aa48bc8c193a

        SHA512

        6e7657da65f8b08f83ebd40721be94c64fff3e951311ac7b9117bb9b3da59f42fde8a6c8148b47e8c4cb73b61f728b8e69c0d5332fc177b091909d5bab4efddf

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
        Filesize

        1KB

        MD5

        4ebc36266fc942a657f7f2e15f6ed5b3

        SHA1

        4a13de16962c1148baa0c37dc393af224a8f1733

        SHA256

        8a38b66f81f3ff05bcd1fb97f1f70cc5fb027b1b38c74e202a6f96fc4c6752f8

        SHA512

        6d4f779cd9adc8e28ea406ba7d6aef798d51de83767d1f603634c6617007f0c83737ec848dfe06ceeda8e12ddc9d3cfac58c03d9cef1d712b27d80bf6d9e94ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
        Filesize

        1KB

        MD5

        c4d1b74c0d5f7a600ad8802c2472459b

        SHA1

        32742308c900541cccae4233c75b0ac510680c5b

        SHA256

        82c73fbf51f0c9d475354a1e709312f4ad7a1813a7754322c956d10c13c18bc5

        SHA512

        d71f6d9e55131b9639fb95975cc63eee7fd95a005a5690bc9dece086d5fc0a67968eaf26f14a6e037c8ae61937d818a42489e79616ec4dff36172356bfc4bfde

        Download Submit

      • memory/1728-49-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-69-0x000001823EEF0000-0x000001823EEF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-50-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-55-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-56-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-57-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-58-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-59-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-60-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-61-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-63-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-62-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-65-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-64-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-66-0x000001823EE90000-0x000001823EE91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-68-0x000001823EFA0000-0x000001823EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-67-0x000001823EE90000-0x000001823EE91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-51-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-70-0x000001823EEF0000-0x000001823EEF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-5-0x0000018236A40000-0x0000018236A50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-52-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-53-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-54-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-21-0x0000018236B40000-0x0000018236B50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-47-0x000001823EE60000-0x000001823EE61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-48-0x000001823EE80000-0x000001823EE81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-46-0x000001823EE60000-0x000001823EE61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-44-0x000001823EE50000-0x000001823EE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-45-0x000001823EE60000-0x000001823EE61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-42-0x000001823EE50000-0x000001823EE51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-40-0x000001823ED10000-0x000001823ED11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-79-0x00000206A0170000-0x00000206A0190000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4508-0-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/4508-4-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/4508-3-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download

      • memory/4508-334-0x0000000000400000-0x000000000042B000-memory.dmp

        Filesize

        172KB

        Download