Overview

overview

7

Static

static

3

d9d8eac20e...18.exe

windows7-x64

7

d9d8eac20e...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9d8eac20ee056aef299b2ff04fb5bc1_JaffaCakes118.exe

  • Size

    110KB

  • MD5

    d9d8eac20ee056aef299b2ff04fb5bc1

  • SHA1

    7b9d3654e348f6064f6233cc297203c897ca581b

  • SHA256

    899fd9291112a2dad595f7fd749b7de5027da5cf1c9bb05e9ea90796d1207d44

  • SHA512

    21da9f37af663f04fe5c2bd9e4712b437bfabafa00f8d35e3755921e49a0c8ff7b12b5620eb96f0c1eb4bfc4b56ec99ef84723ec15ba04198a9d83b63a38f274

  • SSDEEP

    1536:awSGenMXapWhZ1a8tPRDWAqEaPQ2AEbd4UFtTPL6PRWpvn8rJi8ZylQF:axMXapWhe8tZDWxRzA4/HArvIQF

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\d9d8eac20ee056aef299b2ff04fb5bc1_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\d9d8eac20ee056aef299b2ff04fb5bc1_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nashy.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nashy.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nashy.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nashy.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml
      Filesize

      14KB

      MD5

      a137ae9a70eee13ac53e539dd845d2d8

      SHA1

      66027d456fc880ac0f744a0c81ed09c56e79eb08

      SHA256

      a01c54039514ba87a1573dee1a4d53b9c665cd64fdfb30fb5009f12288aa9ec4

      SHA512

      3328c82896365dfbdd325475b9ae58b6c7e8109e3d54a555c343948aafdba2fda19403b25eea5d504fe881ebeb20304fc3bb075fddb5a9f577af7da86d34a083

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
      Filesize

      12KB

      MD5

      8156706568e77846b7bfbcc091c6ffeb

      SHA1

      792aa0db64f517520ee8f745bee71152532fe4d2

      SHA256

      5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

      SHA512

      8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
      Filesize

      8KB

      MD5

      7757fe48a0974cb625e89012c92cc995

      SHA1

      e4684021f14053c3f9526070dc687ff125251162

      SHA256

      c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

      SHA512

      b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

      Download Submit

    • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
      Filesize

      451KB

      MD5

      27df88537ca59892dbaf84f87bf4460e

      SHA1

      6e22e50ec5ca859a90a0c19707758700a23f3ce4

      SHA256

      1a00663d12aa3b4bf04cfc184f2c1d6e6a143f28057399e2061900fcfc5f5de0

      SHA512

      2ab86fcf8239244c50e307ee4f3f9af246d364fdf68f74cea98b8dd3efe6c562cd98d189b7739a6b692c325125c7ef35b5756c6d3a137ee7d03bba933a2c81a1

      Download Submit

    • C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
      Filesize

      640KB

      MD5

      7d5c0e8eff02c4762ec2750c012672fb

      SHA1

      6349354ae68dd39440d9fdd83e597f9c70059b9c

      SHA256

      4fbae47827d6865813730195b9639084316603313c289e257d9120d06672b51a

      SHA512

      321b4a28da6bb6f4f7adc35c8c6f98d22f93f40e0f75ba2fa44dc223c609599af7769c7aab3f41eb02f97289a75ae3ea61f307171975f12833f8fb0eb5945750

      Download Submit

    • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
      Filesize

      640KB

      MD5

      51e7de47bf474ae9c54f486bfb0fb0cb

      SHA1

      3f24cf09c99250f52aefdc22eb82716d0f0231f5

      SHA256

      3c30ac5466cf4b2ac90e8a7c9d36a941773bc02aafb0ee0af9a255cfcc7d10bc

      SHA512

      af6077e7dc9baf4e7a28a48699a92a92ac717f9fc22a2681ab2554c12467d6dd3df584f708298b0226460b83c54368d265d245a98891d4b926c99c27afed88ff

      Download Submit

    • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
      Filesize

      461KB

      MD5

      fd18b53d225ad1b0f2d922f3787aea7e

      SHA1

      167c7e296a232394fd427bff45df6b3199a76c48

      SHA256

      770ffca6ade670988c29618cb20f1b0b6d0f7cc22a91899493b415c9b4b53932

      SHA512

      cf013402f9cc08f9a66b1a71656eae5b57d1127cf51cf0b2d0d4f420c0b7fe43f09db916e0a275cc6cf954b0d4da18dad194898e6c18451ef4607a4d20aaa163

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      451KB

      MD5

      0554cc54144b8fb7f6cae63bbaba3795

      SHA1

      6409865254353d12a60a7a170efb09646c4b5f6a

      SHA256

      6a3d4f3224a804a1c0303f51efae3f108b99f490c4068a9fe045658e330f8fff

      SHA512

      8754e7a3b2b4d2e2f20fb721d4602a57bac39102cf25975fe68324c2cbd3b178addbb8c91c99cbff7064e40535c900ea19148121c806ce7db06a8f19e8518b0b

      Download Submit

    • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
      Filesize

      461KB

      MD5

      42bdde3f131396ff83b3aaa7c5e546d6

      SHA1

      83bb4793d7111737ae52db7fa4f47d67806141a5

      SHA256

      b5beaaad877321ce4a6d520fc8026ab689bc7dd5a364fee7efb873d68d5f7189

      SHA512

      5e002207f5eaa15a45adee6bac3487c3b9241af4045f8b60aba99b60e9bd53b590a83ea29d9a0dee0734020849bb85dc4fc8b824a799864b5ce155655db124a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ose00000.exe
      Filesize

      152KB

      MD5

      12feb32986631f3608a71bd3a8773be8

      SHA1

      3ad6e089135989cebfc5421b6452443e56fba845

      SHA256

      d9e9cad1e75a56ba5b98e56a96de7be77a3bd4de8248f6220b8b6edfdd6969dd

      SHA512

      94a42a3c8fc4d07d98fa0a980531016c3e0c44edd6c4b933787155c350222495a2631e542882306dfef8c07d8d6e87db20be3d141c0f3afbacbe48232beb06ba

      Download Submit

    • C:\Windows\SysWOW64\runouce.exe
      Filesize

      10KB

      MD5

      257e41fc670256b6c422d0dbf50e9673

      SHA1

      d17fc0252793dec5842093b50e0f663e9d6d3425

      SHA256

      1105cac66abb4e9356ee426a67f40324e534160135264d043253b59e6b082708

      SHA512

      7942403a79f465fa286714cd4e1a29403f3cd23d9edbae6f2fcc8a20d877c7c72d092aa79f4d7b01106a93d76932d4f6ea61dab719b79a4ba92166233191c433

      Download Submit

    • C:\vcredist2010_x86.log.html
      Filesize

      80KB

      MD5

      97842bf77b157c204005834ee6a4a151

      SHA1

      29d3e64b4a8fda7ff2d6c42704ed921402bc8d2d

      SHA256

      f58376441b4403f86dcda7bed491c9ab0c11b108bec83d02e877153b0c4e5d26

      SHA512

      8b20ef94e463cc49aa671bc7fb120e092eac94c871eda805239795fa3025cc59f00ce75d357453828845bf65965d7a2168e3aa9f39adc1b62dfc6155696f8c84

      Download Submit

    • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Nashy.exe
      Filesize

      45KB

      MD5

      a8d5395595b37908a079df232c8a4e21

      SHA1

      71ee2211d1f45833f67a9344afc121208bc0eace

      SHA256

      078a9f9fcaa7a979575dfc8be7f2325715e2ab219a006035a4cded612d67af25

      SHA512

      829bc8c51c5d206831e1247f849698d547fcea5de8e3576eebdfa4c70b46f6992c7093fae1af19876b5a9dff4abb77dd31354e2c2648fd64ff5df754903f5328

      Download Submit

    • memory/1208-24-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1208-27-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-42-0x0000000002A90000-0x0000000002A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1776-985-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-16-0x0000000000260000-0x000000000026F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-1078-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-1075-0x0000000000260000-0x000000000026F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-415-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-661-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-1074-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-1068-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-1037-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-12-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1776-1065-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1804-0-0x0000000001000000-0x0000000001027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1804-22-0x0000000000100000-0x0000000000127000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1804-21-0x0000000001000000-0x0000000001027000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1804-1072-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1804-1073-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1804-11-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/1804-10-0x0000000000130000-0x000000000013F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2396-23-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2396-18-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2396-38-0x0000000010000000-0x0000000010013000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2396-37-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

      Download

    • memory/2396-20-0x0000000000020000-0x000000000002F000-memory.dmp

      Filesize

      60KB

      Download