Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 06:26
Static task
static1
Behavioral task
behavioral1
Sample
ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe
-
Size
537KB
-
MD5
ed039c91cbd802016c0052cfb7c7479a
-
SHA1
f6b0be96bc72960edac79c3d19202ead6741ea35
-
SHA256
0dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff
-
SHA512
a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17
-
SSDEEP
12288:Q77P4DWh9VWaOP6ExsZzKITASpLpQWBtD:Q778WRTMTsZLE0m
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
QGDOUOSDWX
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 12 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2008-28-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral1/memory/2008-24-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral1/memory/596-39-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/2828-35-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral1/memory/2828-31-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral1/memory/596-38-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/596-42-0x0000000000400000-0x0000000000426000-memory.dmp Nirsoft behavioral1/memory/1320-48-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral1/memory/688-45-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/688-52-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1320-51-0x0000000000400000-0x000000000043E000-memory.dmp Nirsoft behavioral1/memory/688-59-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/688-45-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/688-52-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/688-59-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Deletes itself 1 IoCs
pid Process 2836 Windows Update.exe -
Executes dropped EXE 1 IoCs
pid Process 2836 Windows Update.exe -
Loads dropped DLL 1 IoCs
pid Process 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2008-21-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2008-23-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2828-29-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2008-28-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2008-24-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/596-39-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/2828-30-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2828-35-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/2828-31-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral1/memory/596-38-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/596-37-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/596-36-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/596-42-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral1/memory/1320-47-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1320-48-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/688-45-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/688-44-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/688-52-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/688-43-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1320-51-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/1320-46-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/688-59-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\#nume# = "C:\\Users\\Admin\\AppData\\Roaming\\#rundll32 .exe#" ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\#nume# = "C:\\Users\\Admin\\AppData\\Roaming\\#rundll32 .exe#" Windows Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2836 set thread context of 2008 2836 Windows Update.exe 31 PID 2836 set thread context of 2828 2836 Windows Update.exe 32 PID 2836 set thread context of 596 2836 Windows Update.exe 33 PID 2836 set thread context of 688 2836 Windows Update.exe 34 PID 2836 set thread context of 1320 2836 Windows Update.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2240 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe 2836 Windows Update.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2836 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 596 vbc.exe Token: SeDebugPrivilege 2836 Windows Update.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2816 wrote to memory of 2836 2816 ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe 30 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2008 2836 Windows Update.exe 31 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 2828 2836 Windows Update.exe 32 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 596 2836 Windows Update.exe 33 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 688 2836 Windows Update.exe 34 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1320 2836 Windows Update.exe 35 PID 2836 wrote to memory of 1464 2836 Windows Update.exe 36 PID 2836 wrote to memory of 1464 2836 Windows Update.exe 36 PID 2836 wrote to memory of 1464 2836 Windows Update.exe 36 PID 2836 wrote to memory of 1464 2836 Windows Update.exe 36 PID 1464 wrote to memory of 2240 1464 cmd.exe 38 PID 1464 wrote to memory of 2240 1464 cmd.exe 38 PID 1464 wrote to memory of 2240 1464 cmd.exe 38 PID 1464 wrote to memory of 2240 1464 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed039c91cbd802016c0052cfb7c7479a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log.txt"3⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log2.txt"3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log3.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log4.txt"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:688
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\log6.txt"3⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2240
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD5f61e7f09c54abfca275c880ef9f02cf2
SHA1eb5ff90abaca78e23927bb97a49d08d470735ba9
SHA256d172047b5d885efac6e42afb61aa218cd0c637d0de9b42b3e8dac385f7419b15
SHA5124db37d26c3642d13ac3f145fe48f010e10ee2ea56602b62be7c756833bd37225416d9145b01515317e22cf97919053f5c5bcb817c5ab58d98b84c086128d5352
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
537KB
MD5ed039c91cbd802016c0052cfb7c7479a
SHA1f6b0be96bc72960edac79c3d19202ead6741ea35
SHA2560dd4d407bbb948208a776f1254584bac0ae01fb724cfb7c44b5e46c8496be2ff
SHA512a79fcb9de2e4a8abc599a26f7644ac7f3c221732d722617d3f02272b42143b24d1eeb553bed5b2644e2aa6968636b1b21ae82a5435934edaa1d51ee50a86ac17