Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 06:33
Static task
static1
Behavioral task
behavioral1
Sample
eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe
-
Size
586KB
-
MD5
eac429ca1d62c1eeba0892654f090c16
-
SHA1
0a511fa8428c3f18b1c08caf940ba5d8ba25fcd1
-
SHA256
06a4b038ae003e24842c9dfb2bbe12e79bf001c34a84c6686d6f5936a606126e
-
SHA512
5bbb90c0e70fd50153a7a0ef541ecacdef13ac735bf39983e1d8cc9b5a0441bd4a32e60d2b5815a54bb5b6dd2ada5e600df3382a6642ba692d0a22b04c366c53
-
SSDEEP
12288:KlSaGklFSnYZQjL+ohDCtbV016whSLyTbm2vgSGYg8niTSa4UDTkKPCEF4k:KpD4YZMLlYtJCfhYQvg/YgvH4UDY964k
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2704 PfK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json PfK.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json PfK.exe File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json PfK.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json PfK.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\manifest.json PfK.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PfK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 716 wrote to memory of 2704 716 eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe 82 PID 716 wrote to memory of 2704 716 eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe 82 PID 716 wrote to memory of 2704 716 eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eac429ca1d62c1eeba0892654f090c16_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Local\Temp\25632e46\PfK.exe"C:\Users\Admin\AppData\Local\Temp/25632e46/PfK.exe"2⤵
- Executes dropped EXE
- Drops Chrome extension
- System Location Discovery: System Language Discovery
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5000a75b29511b19aec2858f409e72a98
SHA1034f67c5fefbf95a9b3789df3ead463c33e44440
SHA256cb7a391390cf219f2dca8d14259d0527f630174f9d86e1b306d66d279059579c
SHA5128a6bce4ccf8f15d724aa5628aa641f0d95bc8d1c85b615dfff3540df1a5ac2d042dbc5f15c860622c5a713c85ba7d462ae5e5c39a1b54bbe3aa4b7a12c9137c1
-
Filesize
409KB
MD5ef38514253e4dafb6823f236bc47bb5f
SHA1458a7dcb3c85cbe3c93eb7876fa0e6cd7e07f0f6
SHA2564c1f4446576780b1d9ebd6f3cb653375aacfe3fd37e542ab4d4f3616db82475e
SHA512853b8a5467d9c3800334807c0c0d558d4b42d201bb19927d10ab391d1ddad93abbbed8612f8d243362cfa2e0cb53f81610f68040db7ba554886b06fc6befe43f
-
Filesize
141B
MD558ff55a5c2fd1b711f9b4602c22a89c3
SHA16998651019972db2ed20db053370fd2344d232b9
SHA256ede8ce722543815ba505a35225c974005664209b58f5b7557e9e288506d99014
SHA512bd1f677ee89b4b1b2dc0d82148e93b630c43dd541d9374cf95390093722fc6167c12d9cb27b9c25bc010f403ad7e5a3e21ac8b11f8d2cc858870123a2d7cdfd4
-
Filesize
4KB
MD5a4f1554ffb094f35295c036c48f8372f
SHA1623e977dc00591c3e725f3cc9b0c094e430978c8
SHA256764e06233c180f6c6227c784f40458f3a4817725f42bcffb4691156068d642ea
SHA5128cf361c5aa0fb6c9fc590c65b3ab344448667c50ca77336ec938ab0b3ae6bc058cf31aa542da8e39ff829459162782d08992326c5aba62a0a4c8eee2b5696c63
-
Filesize
24KB
MD5bbea09e717fb778e9bb4476c46d35bfe
SHA13259367216aed213e4609294f64adc21c47a385b
SHA2568a828a419fe57b3591923ef78ed4fb42a8ddc70c693e8ced184ff2a527c2d1ac
SHA512a8157320c5b680ef9a959cbc552a524934620587686af8e6fa2321891d46932eb789744b7f2b097e0c266d1606815f7d3138364380790bf342b450e6fd458b8b
-
Filesize
5KB
MD559759c3cbc4c69998e787609c76239ca
SHA13e9a3378529201e22516859a08faf595ffda11cb
SHA25668f9738f78ef5ae2161bf41c8ebed6cc3e28e836821389b0b2e7c77301d27504
SHA51289f0407fa5c449cb8bc3f019875811d23809e1fa303eeb3ea4f8876d9ae8764808c7e824cbf3badf67b01df2783c82655de1fa41108e67d55cf0b8808e03967b
-
Filesize
600B
MD56b428cca479efa361d7d23a132511b5c
SHA11fbe8449ad0d6a5909288ca1eddc0d5b798a2340
SHA256297e3bdccd15f06b6160d78338928c04a69bf6579879cea36c8862d02bd6ef5c
SHA5127fb5e0c59cfb44267a34912dee5e77012dc501c1b9819095714a4b85de021ea8d46994178155a3162412beffd57385c04c0976f4174aff5a1bc62d8174b98029
-
C:\Users\WDAGUtilityAccount\AppData\Local\Torch\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\content.js
Filesize4KB
MD533a02aada6dd3f8f47b1f0a0221e4fc4
SHA11bc903dfb18492d094d7cc18a5842382f204d282
SHA256c229dc025f2011bbeb079920eb9325400488872927d634b8906f76e502b0a337
SHA5124c03cbd11a028a8c06eccc73f7501c309b501b364c680bb0d482dcb5d40e93b34b6d539b28e7bf9aa99bc4a61df915fde1110c838621ec640a06681d942f0616
-
C:\Users\WDAGUtilityAccount\AppData\Local\Torch\User Data\Default\Extensions\lghjfnfolmcikomdjmoiemllfnlmmoko\123\h6Ad.js
Filesize24KB
MD506a181803395518c6918b78ba147e929
SHA195166cc73a335ce07304a76130af45e61a9d51ff
SHA256766a27c7b61ed351bbca137288bbfdd0dc19f9e79037b071b1ec738ac15cedea
SHA5128198dbac680de7f8ad3f8c28c27d12cb4477863811786e986cb984480c0cfa53e1634f90aad6bfd4f3ea31bb35fbf694295c506071f87cf6138092174e0c27c0