Overview

overview

7

Static

static

1

fc543ba74b...18.exe

windows7-x64

7

fc543ba74b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc543ba74b16b61766b773a6d959bce3_JaffaCakes118.exe

  • Size

    380KB

  • MD5

    fc543ba74b16b61766b773a6d959bce3

  • SHA1

    73b6afdc7f01ac3e902faddeea97fe0c7687d1fc

  • SHA256

    8b572cb42288d11850d39a85649c31cc440626e2c80403a261eb7f9affbaa9d0

  • SHA512

    1db8cbe508a8f4f09204e3ccf57a0c2b714a5813aa0303f2bced44b441c7d536bfb8c406ea5a680764369d14d65a93fb10386c281da6bb10bc6002968d58177a

  • SSDEEP

    6144:+BUIa/9sgTC0yFRQy6gntOtq7mjfYQqbJoCulex5BuqZ1CfejtUtwXJ+UgsVrHZz:+Na/NTdgCqazYQeoCSEZZ2tGJngsVr1f

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc543ba74b16b61766b773a6d959bce3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fc543ba74b16b61766b773a6d959bce3_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Adobe\FLASHP~1\E16ATM~1.BAT
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\fc543ba74b16b61766b773a6d959bce3_JaffaCakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2960
      • C:\Windows\SysWOW64\attrib.exe
        attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\E16A.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\FLASHP~1\E16A.tmp.bat
    Filesize

    484B

    MD5

    26f53e2b5372935cb1b81748c08ee175

    SHA1

    2b2a3e94a1c9bb226e9347ca3d65138833348402

    SHA256

    eadecfbe0523739574f4a8baddf7965af9c9e638b45a1a041885a852a01cae3c

    SHA512

    fb52d3db35c45576a1354e07e519ba13cbd38a00f39a3adfae0979fdb52379b44b1030c0d05da30c378dbda6a5e768c2970135852b045fdfeac11e336a90a88d

    Download Submit

  • memory/2948-0-0x00000000002C0000-0x0000000000323000-memory.dmp

    Filesize

    396KB

    Download

  • memory/2948-1-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2948-4-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download