6d73d867116b13b0c96216beb5fdd421c06a88ea8d7cd9ce9af039f33a477d37

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
Size

4.5MB
MD5

fdacedbfee55e056c5f34c6b177c2e19
SHA1

afa928cfdc81d0774cdcc97fda7df796c959ad6c
SHA256

6d73d867116b13b0c96216beb5fdd421c06a88ea8d7cd9ce9af039f33a477d37
SHA512

b00e389dc7340a6e9bf9cbb9ff611883da6ea8ff9908a85bc4d5e29732d3394fc88ad7ab512a276ba730feb5e93b7ce5366646e338358305c2527ba068bf9268
SSDEEP

98304:RqkSERbLqkSERb7qkSERb7qkSERb8qkSERb8qkSERbCqkSEU:1

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\UsaShohdi.asu	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\UsaShohdi.asu	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files\7-Zip\7zG.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\vlc.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javaw.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\uninstall.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\ssvagent.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\SCANPST.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.usa	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
File created	\??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2268	fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdacedbfee55e056c5f34c6b177c2e19_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
1d2c99b3fa4051a805835e175ae37801

SHA1
2ca547767ff47cdd3dca25116f78a242607ba362

SHA256
2235d5214984168586d68233a945c60e8c2d4b0a143e44bd1e4ab373e7e70378

SHA512
b4d5e6dec44e273cd364b6ecba8beb47fd62741ee2b16a328b9c1c16dac780cc880d4a90b1a052aa4844df8ca59e22e53eca4c81641443d865abce1094a878f1

Download Submit
C:\Windows\SysWOW64\UsaShohdi.asu

Filesize
4.5MB

MD5
fdacedbfee55e056c5f34c6b177c2e19

SHA1
afa928cfdc81d0774cdcc97fda7df796c959ad6c

SHA256
6d73d867116b13b0c96216beb5fdd421c06a88ea8d7cd9ce9af039f33a477d37

SHA512
b00e389dc7340a6e9bf9cbb9ff611883da6ea8ff9908a85bc4d5e29732d3394fc88ad7ab512a276ba730feb5e93b7ce5366646e338358305c2527ba068bf9268

Download Submit