b0a825d60cd77873437a57c2fb9a42aa2a7983eec27307e7242a1390fb9e48f5

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
Size

172KB
MD5

dd7123e014e067e0927b4189eaac4264
SHA1

2ce7f04c3cec8aa926a282080081a1cb61781820
SHA256

b0a825d60cd77873437a57c2fb9a42aa2a7983eec27307e7242a1390fb9e48f5
SHA512

1bee2d19f060c3d1d116804e8c131752df129934a362a69f1a627dcf62b7790636beba1d7514deff40a89d58a93f9e2ebf5d42d1a42cf5628f28dd8145663332
SSDEEP

1536:23vhewkJj7tm2UgiNWh8mdKbN8RINnLGobNl8BP0p9jQx2cAiiDbB0snVHsIGoR8:4M7JX3XiFdlbNeQ9jUWiaFHcIkJpm

Score

10^/10

credential_access discovery persistence spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
Masterdark1

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1812	ひyбnhсC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdateserver.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe"	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
1812	ひyбnhсC.exe
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
Token: SeDebugPrivilege	1812	ひyбnhсC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 692	2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	85
PID 2464 wrote to memory of 692	2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	85
PID 2464 wrote to memory of 692	2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	85
PID 692 wrote to memory of 368	692	vbc.exe	87
PID 692 wrote to memory of 368	692	vbc.exe	87
PID 692 wrote to memory of 368	692	vbc.exe	87
PID 2464 wrote to memory of 1812	2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	88
PID 2464 wrote to memory of 1812	2464	dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe	88

C:\Users\Admin\AppData\Local\Temp\dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd7123e014e067e0927b4189eaac4264_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-aiqmdsm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD35.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3ABB66F94A2E46B78371C6295586812E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:368
- C:\Users\Admin\AppData\Local\Temp\ひyбnhсC.exe
  "C:\Users\Admin\AppData\Local\Temp\ひyбnhсC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-aiqmdsm.0.vb

Filesize
2KB

MD5
aa63eaa0e3f951e18aff653d2e387b79

SHA1
df06ee9b9bad2a7765a6fb1ac86edcfc94e2e97f

SHA256
6724b5f82d8c31ad8f2fb75a5561d80df0ff88abecb49fcdbff4c6be0e647229

SHA512
fad912278340f23d6400480b2f734284f2d34321596bb5cdb4a4bc6b23c88847b9f2635fb2938b168c57034e0d57fa3e0ed0044c53b150dba3a050f364a5ed58

Download Submit
C:\Users\Admin\AppData\Local\Temp\-aiqmdsm.cmdline

Filesize
240B

MD5
7f676f41a248b5919069847c8f9df814

SHA1
4ce18d1c754de3255a856d4b1bc47ee3956a5e5d

SHA256
6c7f7143526c3ef8e80e32a60687403929db838a442f8e792dfdbb2023d4309c

SHA512
aa547f559ee50bc337ab4ba624521e71c1faeaef55ec96ed7f740eb91bfdbc231c2426ab6950a473317268baa1fd753e401b6dbadf3ac9e84275fde923011d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD35.tmp

Filesize
1KB

MD5
fec67d755a523f895506348008c9c5e4

SHA1
9e6da09da998a08e46ca81121b116e3df2687875

SHA256
4b4dff8a92ce9543c7a381cbb84ecbc86c3d74636a1e6f1accba287e737cdfc8

SHA512
1755ead2a5337f5dbdda12a76abef425f2383cf61dc68d905b10b9448f24e6427c6f380ea3098fea2c2464992eb023b3f731b8be06a9a49ff299f33b955bc8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3ABB66F94A2E46B78371C6295586812E.TMP

Filesize
644B

MD5
99391a82e5b561dfc9cc7ac81a1cb201

SHA1
0ba207b51bb89f646ad3d24983bd9494c5c97919

SHA256
f65b6aab72948c9a1727295169c5f79527ab39d7dfd67e0493ab6d501739d8ee

SHA512
7915df9d88875ad7d8fef7070626750d0aa00a2ed006b17d61c770ed44bfab4c29c13a79a29b8adf865b3fd9c94e2f748708c968d7c15e2aa48e187406908f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ひyбnhсC.exe

Filesize
7KB

MD5
f2990907d878b119a9ce36abc39a7409

SHA1
607dbd9c7cc36ae04c580c22c04bc6cdc9f6a611

SHA256
8280aa3b15ea3beb037f6362d0fc5f908e089b398a965a7b93eac5f71785702d

SHA512
9fa1e3e22c12163a72b93c00d21c2961edfbf28287b9d7b4957ee46d2d22abe558c003c0c679c66176c5f87c685d12dfa3b36eb55cd29a44b7fe9cb32231eb66

Download Submit
memory/692-16-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/692-8-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/1812-20-0x00007FF9EF175000-0x00007FF9EF176000-memory.dmp

Filesize
4KB

Download
memory/1812-29-0x00007FF9EF175000-0x00007FF9EF176000-memory.dmp

Filesize
4KB

Download
memory/1812-31-0x00007FF9EEEC0000-0x00007FF9EF861000-memory.dmp

Filesize
9.6MB

Download
memory/1812-30-0x00007FF9EEEC0000-0x00007FF9EF861000-memory.dmp

Filesize
9.6MB

Download
memory/1812-21-0x00007FF9EEEC0000-0x00007FF9EF861000-memory.dmp

Filesize
9.6MB

Download
memory/1812-22-0x000000001C390000-0x000000001C85E000-memory.dmp

Filesize
4.8MB

Download
memory/1812-23-0x00007FF9EEEC0000-0x00007FF9EF861000-memory.dmp

Filesize
9.6MB

Download
memory/2464-24-0x00000000750C2000-0x00000000750C3000-memory.dmp

Filesize
4KB

Download
memory/2464-25-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2464-26-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2464-28-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/2464-2-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2464-0-0x00000000750C2000-0x00000000750C3000-memory.dmp

Filesize
4KB

Download
memory/2464-1-0x00000000750C0000-0x0000000075671000-memory.dmp

Filesize
5.7MB

Download
memory/2464-32-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/2464-33-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download