Overview

overview

7

Static

static

3

de95897df5...18.exe

windows7-x64

7

de95897df5...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$TEMP/~nsi...44.dll

windows7-x64

3

$TEMP/~nsi...44.dll

windows10-2004-x64

3

Cloud-Web_2_44.dll

windows7-x64

6

Cloud-Web_2_44.dll

windows10-2004-x64

6

Cloud-Web_...44.dll

windows7-x64

3

Cloud-Web_...44.dll

windows10-2004-x64

3

Cloud-Web_run.exe

windows7-x64

3

Cloud-Web_run.exe

windows10-2004-x64

3

Cloud-Web_...44.exe

windows7-x64

3

Cloud-Web_...44.exe

windows10-2004-x64

3

Cloud-Web_tb_2_44.dll

windows7-x64

3

Cloud-Web_tb_2_44.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de95897df511d95caa3ba3de44680e9b_JaffaCakes118.exe

  • Size

    641KB

  • MD5

    de95897df511d95caa3ba3de44680e9b

  • SHA1

    1968b6e7ff09f8a51583dec455e38dee647b8c80

  • SHA256

    4243973c45b9052878644c7b30a05e9640844ae55e43998945685f80e8fa64dc

  • SHA512

    af576764cc68e7a7bda2a48e2ee9c0eb726726c62ca096d9df10de1905e2168596fba95589a71f06d1f8ec758e126e8b400ef8366327deb77f8db9d7a747ab30

  • SSDEEP

    12288:uSQvCetyQ/j8olI+jUxZBvT51V8Xb2egbbyQ/j8Xla+j8sDguxeb:uFxtyO8kI5xZ5FY7uyO8Va3pukb

Score
7/10
adwarediscoverystealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 26 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de95897df511d95caa3ba3de44680e9b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de95897df511d95caa3ba3de44680e9b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.ex_
      "C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.ex_" /stop
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3012
    • C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.ex_
      "C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.ex_" /u
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2740
    • C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.exe
      "C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.exe" /i
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2576
    • C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.exe
      "C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1452
  • C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.exe
    "C:\Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Cloud-Web\Cloud-Web_run.exe
    Filesize

    127KB

    MD5

    058b3bbdde73c14ceb916f13a6e41f3a

    SHA1

    ac699575c4349643d9894e7a7e7ebd03c5bb2698

    SHA256

    b4b1d7aa7e1cdb362fd40427790baa5db88bcd9be6ab505a1507f5e5c900b053

    SHA512

    7a41acd3b8fd363b87b66de04eab44c3842690feb766ae59041c2b43acf9b7631a008d5ec76d89049c066213a0a8f4e0fd009674656ae96312c7f0e180645136

    Download Submit

  • C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240913.txt
    Filesize

    230B

    MD5

    7281c6c8fa15428fe5af186a99163aa8

    SHA1

    dd4038d57cd23c485d25d9097f02c3e75b7323bb

    SHA256

    9ee6319f3765c20875421ec7758bba36d899d51fae3756bd807e26236d6a0337

    SHA512

    f6036da2f3b3d61762bdfe3bf7457ae6463d97912f569fa29324cf14fdd324d20fc5df42965d632944316760aa5002e5b4ebc281d733b0de20781a2166818f47

    Download Submit

  • C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240913.txt
    Filesize

    304B

    MD5

    f269b6b7d7dc5031c5cca9a40ac3a401

    SHA1

    d4ebc70d85443b52c922f710d3ad5b15f7daf58c

    SHA256

    b4ca5a9d114d4b8188e2da1dbbf7bf9ded65e52ee7afa07211ea8b042994d39c

    SHA512

    8e45e921789fdfcf7961fe8c855cc4a20d132e019814d78defe4b022051b38aca1a645012a11eb3ad41af1b4b570de8b4751bccaf38154560f82b620a2be9025

    Download Submit

  • C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240913.txt
    Filesize

    378B

    MD5

    9ba5c20868549994415f41b80be48d93

    SHA1

    739d30a1d63f2ea55403932adcc98df9321dc001

    SHA256

    3bff6046e7c81eb0efb6c5a69e9bac59f8b78e2d79aa7257d9e26a28f8cb0880

    SHA512

    62e8e5c84ffabd74a016f21edc5c72d0ff23e37f2b2431d8b121b00d71180ff667d535b339f6c692348e55ca4963faa791a74b27613558a3a08eb5c75c0cf99c

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_2_44.dll
    Filesize

    123KB

    MD5

    57a31495a42051e14de51a13dd38079b

    SHA1

    ad0042020bb0f44531275b0b70f8390a59c3ea0a

    SHA256

    c5ec095574e889bc0ec36bba196dd2579ad6665db75aaf06d62b66b2add00708

    SHA512

    520c86c2a6942df65886f47e365ea32d91e9fc56a3967b20c6a10b0395ba35eb9d8ec4975052b9da9e075ca3608b27465c94bd462935da51f9ee1438353a3608

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_svc_2_44.ex_
    Filesize

    103KB

    MD5

    571aeeec245995fa7896022ccfae55d5

    SHA1

    fc450e4ef91bf17f38de426557da3e856115bc95

    SHA256

    6f2bce6eec626c94bd6a1dbb2b642eb739239d512625e5036968ddecc3d4d829

    SHA512

    5880a8d8366ce5b2ab82e5cbc090a55140a6c1655f08a4c89bec3eeedd2ab036c0e6d6d9b1027762ebbfa9209323a419b25ec563b7e341b905d5562114a92731

    Download Submit

  • \Program Files (x86)\Cloud-Web\Cloud-Web_tb_2_44.dll
    Filesize

    127KB

    MD5

    598552f2534fd18263a97319f7df5c07

    SHA1

    e459f60c1f738c6821db063860a2850f670eef5f

    SHA256

    da1233c37f2abc2940a9fe3f122c4dcc85d7b558e2413fd580ad01afc0ab7dbe

    SHA512

    e148899971ce410a8661ffbd90cc0747606fa0a6acbd417e61859b35db6d4ce5f2d815211bf40e8499d7ce364427cc7930c3256d2dd5655655403dbf3bd7413d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj2138.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsj2138.tmp\nsProcess.dll
    Filesize

    4KB

    MD5

    8f4ac52cb2f7143f29f114add12452ad

    SHA1

    29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

    SHA256

    b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

    SHA512

    2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~nsis\Cloud-Web_nad_2_44.dll
    Filesize

    495KB

    MD5

    ac56735864a6cb5a5dec0788e28a4d78

    SHA1

    fb2e5ab4f98dd8a5298d8b09f96fb70a1e767f20

    SHA256

    52b805bfa64cec8dbd302587a14a00ec58165baf9526b13a2fb3c9124740f7a7

    SHA512

    985d67f976ecb3bacfd19a9cb574a45f2f1d77ffaf8042fa8411fba63154de8d8290d697395c487af79c74807f88d91f8744f19e5edcc4c7df9a42b5216dd4e2

    Download Submit

  • memory/2412-44-0x0000000002860000-0x00000000028DF000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2412-41-0x0000000000390000-0x00000000003B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2412-37-0x0000000000390000-0x00000000003AF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2412-17-0x0000000001F30000-0x0000000001FAF000-memory.dmp

    Filesize

    508KB

    Download