c002e189b8f742df6459dc0be8cb5a0afcaca94c9279438128517ab8e63d44d9

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
Size

720KB
MD5

ff83855a648846c5e05c54e23b417bae
SHA1

32175d41aed15387da1f0c86d46793ceca3883f8
SHA256

c002e189b8f742df6459dc0be8cb5a0afcaca94c9279438128517ab8e63d44d9
SHA512

e4cef955bf222ae3aa1ca180649c7f25826f4e07310d937cd1a30f1246f7861e1ed9bfca4bd79f089c1d729f5083ccf326fbe63b6dbac9387c576e7293ed38fa
SSDEEP

12288:xMOAiHA9pcm1IfjZalab5aRrz9Aebtn5PzJ7zT3z:xyiHKqmQt5WBhPVrz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
3776	ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff83855a648846c5e05c54e23b417bae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\GetVersion.dll

Filesize
6KB

MD5
5264f7d6d89d1dc04955cfb391798446

SHA1
211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc

SHA256
7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4

SHA512
80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\inetc.dll

Filesize
20KB

MD5
2f94245152dbd233e248909f9c01c578

SHA1
ab4e5879c001b36a2f9ff214946599fd015edda9

SHA256
4c4d85eb9725fc7fade03467990e3dd9671c29a7870c97e69babc2cb3c9adef9

SHA512
f92830de27d6663be5e0df9e32cd88732bc7ee93b14c1ded65258c325d22436400801aff1124f40400c6c3b3c16e71deb08436714716f3888d13a8a6b6a32231

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\linker.dll

Filesize
6KB

MD5
8450b29ee8d592c208ba1aaf6ee50267

SHA1
75096da057bc85cef63bb0eec168652ea75cf618

SHA256
53aa57e582dc56421c1191a0a9efac9c36960b903b7d825f3b9682605ec2b612

SHA512
d23a3057053a1f36f5eb212ae0b09b9b0b41e50b8a6a20bbc46c12c51199ad0bca741bcce17534488158e8f2b9470dbdac2aa059688b7588a05778c40d461039

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\nshist.dll

Filesize
39KB

MD5
56bf72527ae93d35cd8f8778ad29902b

SHA1
3248a7ca75a3c2e715a13b455ccc5d45e04cf9b9

SHA256
77f38240d729758f04fbd6ac00dc638e99ba27c42fa48200c99f51449e245343

SHA512
c8ea0445bb83bb67dffa85b167fcc9b6ea874493442db5707e939ee0f2864a0d464ee605de486febffc27b60cd3c35a91302f226f6c4f13186119687a7e6000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\tbdata.json

Filesize
1KB

MD5
6562dc4704f1ad18ac1178fc4a771300

SHA1
77807e85ac5daeb7c4cded8a1d1d5f1f79ca5026

SHA256
fb0a16347eee1fcf5b0d77281a6b3acba00d6ef0961a6560789c01789322f7a1

SHA512
4f1bbd18c0bef89d22d66061b9a604aace7e7687954d7ec791ff5cc5ee61627916597dd38511f360073272fe110ed628c590e306ca230e739edf84ba66f55167

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBEFC.tmp\timepro.dll

Filesize
20KB

MD5
009dbbdd1ef470dd752c2b73835da3e7

SHA1
f97da6556b24302df8201a092eaa32a80d49064b

SHA256
c1ed8c398108dc56fbb6fd6797c3c9df59447e2a2f198b72a45058124971b09c

SHA512
dbffa0eb830b292e5550eb3f3cfce90f881282652afb0463672ece7eb0946c34a8f75c4852f77b1db3604f0f346d0ed9d9babbad40b41de109e9f5119d555ec5

Download Submit
memory/3776-19-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/3776-34-0x00000000030F0000-0x00000000030F9000-memory.dmp

Filesize
36KB

Download
memory/3776-226-0x0000000004010000-0x0000000004019000-memory.dmp

Filesize
36KB

Download