8ab6876f05b74342ac0ece11edeb25a06de3a00c6f1aa75c175bc7e72ac9ca05

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe
Size

858KB
MD5

ef89972bbc4de24840b2c8aef9ec1a05
SHA1

29889b94178eea9e851a387ef070abda7d1a67e9
SHA256

8ab6876f05b74342ac0ece11edeb25a06de3a00c6f1aa75c175bc7e72ac9ca05
SHA512

62e7a784fd26184c14a67f5129d6391796c08abebaed21fc414611ce582fd5ab3f2a4b667467384329e021f5e339491df7d95dcfaec93f30b4cab4e47d874d1b
SSDEEP

24576:7VDjYXaEkuj1iMrCy6NXIxXC985500scM8scM8scM8hRBxhRBxhRBxhRBxeO+ueu:7WqEPUVy6NX6XC985500scM8scM8scMP

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4696	ff.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1124	1100	ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe	82
PID 1100 wrote to memory of 1124	1100	ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe	82
PID 1100 wrote to memory of 1124	1100	ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe	82
PID 1124 wrote to memory of 4696	1124	cmd.exe	84
PID 1124 wrote to memory of 4696	1124	cmd.exe	84
PID 1124 wrote to memory of 4696	1124	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef89972bbc4de24840b2c8aef9ec1a05_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\bat.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - \??\c:\ff.exe
    ff.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bat.bat

Filesize
26B

MD5
ad4d72f5f09ac57aa059d38e6eef7c4f

SHA1
566194974f2b8dc1d0522b88e36cc88e3075112c

SHA256
3256d5f6640fb6cd68b43238f8a093573e6ce39f4bf6a5f28285053e90f78c17

SHA512
09a504675e68fe90a89d8192b34e338981a31345ac37bc6eaa0eae575c2a54da21fc24c251c61805f416ec0c70d6eddbe26d6c8714e253679dff2b0127af5b92

Download Submit
C:\ff.exe

Filesize
380KB

MD5
f11e5d31dd3220ab69675ef16311ac00

SHA1
07ed2f2038c729351a8a55e3482e95300666aeb7

SHA256
077b971c895312a102e580b600f8ae17cff623c62dde466f9415348e7e7fcb25

SHA512
3e86360df4a6fac09507459322823f715a8ea3c200969127ac121dc5116ed3e0e2cbf28b2c52b1a33a74378e1b641fb7ec0aa949fb726e44dc4cfb70a8aade8f

Download Submit
memory/1100-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1100-11-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1100-10-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/1100-13-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download