b0a825d60cd77873437a57c2fb9a42aa2a7983eec27307e7242a1390fb9e48f5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
Size

172KB
MD5

dd7123e014e067e0927b4189eaac4264
SHA1

2ce7f04c3cec8aa926a282080081a1cb61781820
SHA256

b0a825d60cd77873437a57c2fb9a42aa2a7983eec27307e7242a1390fb9e48f5
SHA512

1bee2d19f060c3d1d116804e8c131752df129934a362a69f1a627dcf62b7790636beba1d7514deff40a89d58a93f9e2ebf5d42d1a42cf5628f28dd8145663332
SSDEEP

1536:23vhewkJj7tm2UgiNWh8mdKbN8RINnLGobNl8BP0p9jQx2cAiiDbB0snVHsIGoR8:4M7JX3XiFdlbNeQ9jUWiaFHcIkJpm

Score

10^/10

credential_access discovery persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Masterdark1

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
1136	ひyбnhсC.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdateserver.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe"	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1136	ひyбnhсC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
Token: SeDebugPrivilege	1136	ひyбnhсC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2008 wrote to memory of 2748	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2748 wrote to memory of 2784	2748	vbc.exe	32
PID 2008 wrote to memory of 1136	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	33
PID 2008 wrote to memory of 1136	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	33
PID 2008 wrote to memory of 1136	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	33
PID 2008 wrote to memory of 1136	2008	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xf4gf7nm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF152.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF151.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\ひyбnhсC.exe
  "C:\Users\Admin\AppData\Local\Temp\ひyбnhсC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF152.tmp

Filesize
1KB

MD5
616c72efa37c12279c37b62f33a55c05

SHA1
8c5e401e1a48204b667763f9f1797ddc1a54ce0f

SHA256
3fb2fb5a4d8f5f04ba70a31e868a462368426f8afa46957f05d5f7e022fadad8

SHA512
6491dc02404cc671e0b5ce934796d18c5a896404c6a661506a9e2158af33f01144fdf4e497634a03fa7d34cc90d81f79a5fed927d26e352af2ce5914029e6a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF151.tmp

Filesize
644B

MD5
99391a82e5b561dfc9cc7ac81a1cb201

SHA1
0ba207b51bb89f646ad3d24983bd9494c5c97919

SHA256
f65b6aab72948c9a1727295169c5f79527ab39d7dfd67e0493ab6d501739d8ee

SHA512
7915df9d88875ad7d8fef7070626750d0aa00a2ed006b17d61c770ed44bfab4c29c13a79a29b8adf865b3fd9c94e2f748708c968d7c15e2aa48e187406908f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf4gf7nm.0.vb

Filesize
2KB

MD5
aa63eaa0e3f951e18aff653d2e387b79

SHA1
df06ee9b9bad2a7765a6fb1ac86edcfc94e2e97f

SHA256
6724b5f82d8c31ad8f2fb75a5561d80df0ff88abecb49fcdbff4c6be0e647229

SHA512
fad912278340f23d6400480b2f734284f2d34321596bb5cdb4a4bc6b23c88847b9f2635fb2938b168c57034e0d57fa3e0ed0044c53b150dba3a050f364a5ed58

Download Submit
C:\Users\Admin\AppData\Local\Temp\xf4gf7nm.cmdline

Filesize
240B

MD5
4649dc35f40e7eefdd1c940b827915e6

SHA1
90ade2ad9ced082f11e00863b427c23b71daf0d0

SHA256
fecb35c218991fc59992342e47ad4de0ff09ee8200e8f0c8164a8446d38b5e4f

SHA512
2a99e257efe4bed17327a8b7d88d86f3839163b4cff62553344c9b1a8e542caa0ba10abf061261658ffda5368273ca8afad6cfa51ae61dd5786178c4b0257da6

Download Submit
\Users\Admin\AppData\Local\Temp\ひyбnhсC.exe

Filesize
7KB

MD5
8a63a0a0f1edf80d78c39fc77bfb6422

SHA1
ee2b279db879fe09c86314910d800607cc15bb24

SHA256
b25753304e1a0752e869bcb65e5ebe2947012bc934929af8bf012d04b668b470

SHA512
407bdbdd247a9be8058b93dc5033512ad97bc842aff2a83b9268db835bcac0090d4e01ab8e31cdbce027ac84e628aeb6d39e8b8c28954325b8c0646cc11f7c6c

Download Submit
memory/2008-0-0x0000000074682000-0x0000000074684000-memory.dmp

Filesize
8KB

Download
memory/2008-19-0x0000000074682000-0x0000000074684000-memory.dmp

Filesize
8KB

Download