Analysis
-
max time kernel
124s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 12:00
Static task
static1
Behavioral task
behavioral1
Sample
e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe
-
Size
722KB
-
MD5
e4b9b54d28b835cae6615be8ffafeaef
-
SHA1
f4e5c599ca08a168df51c8139162987bd1aa2f8d
-
SHA256
f02d4088e540950abffd329187e2e4bed685621eb22b01ad888a581fabfa002c
-
SHA512
661c493ec9d88d47d927be648c817413053ace1ad7a189af9c0669fd079540f05f4864174d582e3a462c9300fc604a3e0faee9b838a40c7924576195dac7114e
-
SSDEEP
12288:7rQtqB5urTIoYWBQk1E+VF9mOx9ufr4Mu32f/8qG:7rQtqBorTlYWBhE+V3mOK436/8qG
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
25561210
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2564-6-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2564-8-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2564-9-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2564-13-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2672-17-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2672-18-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2672-16-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/2672-26-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2564-6-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2564-8-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2564-9-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2564-13-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2672-17-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2672-18-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2672-16-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/2672-26-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1624 set thread context of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 set thread context of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2672 vbc.exe 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2564 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 32 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33 PID 1624 wrote to memory of 2672 1624 e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4b9b54d28b835cae6615be8ffafeaef_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84