afdc6ad352071c74d625db103fc29d683c0d435e59a583105365c95b1f2707f3

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
Size

311KB
MD5

fe4a4e8e594456960f7abf7838a7133d
SHA1

153996e2f4523d187c6b1e7f4c1d2e3ff99fe53a
SHA256

afdc6ad352071c74d625db103fc29d683c0d435e59a583105365c95b1f2707f3
SHA512

18319e0ad5b5c0de22ac4d4302ee29efc026291cc470912d40fe0b2ab9aa36fce6978dc053108684c8c3ffda87427400e2f9abe0b90b74fa494617e4fa32d2df
SSDEEP

6144:P53mOE5G9LNFeDcl99RxyojknbKKadPsNlTJZbTzJ2:P5eaz3jJK2PkbTzJ2

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1504	asdw.exe
2500	asdw.exe
2156	RAPIDS~1.EXE

Loads dropped DLL 11 IoCs

pid	Process
2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
1504	asdw.exe
1504	asdw.exe
2500	asdw.exe
2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
2156	RAPIDS~1.EXE
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 2500	1504	asdw.exe	31

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hackhound.txt	asdw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2784	2500	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RAPIDS~1.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2500	asdw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1504	asdw.exe
2156	RAPIDS~1.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 2960 wrote to memory of 1504	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	30
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 1504 wrote to memory of 2500	1504	asdw.exe	31
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2960 wrote to memory of 2156	2960	fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe	32
PID 2500 wrote to memory of 2784	2500	asdw.exe	33
PID 2500 wrote to memory of 2784	2500	asdw.exe	33
PID 2500 wrote to memory of 2784	2500	asdw.exe	33
PID 2500 wrote to memory of 2784	2500	asdw.exe	33
PID 2500 wrote to memory of 2784	2500	asdw.exe	33
PID 2500 wrote to memory of 2784	2500	asdw.exe	33
PID 2500 wrote to memory of 2784	2500	asdw.exe	33

C:\Users\Admin\AppData\Local\Temp\fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 296
      4⤵
      Loads dropped DLL
      Program crash
      PID:2784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RAPIDS~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RAPIDS~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe

Filesize
148KB

MD5
c5553d50594fb72ba38e92b16ce80a1a

SHA1
6f8928146df74805a719ed1bef3b36f40f4ae7e6

SHA256
b513136f4ff5618e10d61cbb59f524e6086c21bd090860a9d4ec26332ab5dc11

SHA512
cd178c19f5ea0721c1b55766ee6d1e0303a1141a91b089d855694c7f2e34a3a5eca5386cbf5d9971f07dd15a05dd7f21c76187b3fe8a2ef2e4d6073f7cef5641

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\RAPIDS~1.EXE

Filesize
176KB

MD5
61e747a56bca834dba7550f01508bb94

SHA1
77e25940abe03f15b789dd47621ea817f750cc42

SHA256
b3f11767bdff36b2e5c6873d6d9b1e922699bf8ff83cb9fea18cef15c2f87ed3

SHA512
c56fb3ec5f69191a66be4e0db018ffa6a49f29da3a55925347a3fb4dfb7bc027e876e91a027107a91bf682c202ad30767760d4b4866a1d51f68f5f9d7307fd25

Download Submit
memory/1504-22-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/1504-47-0x0000000000400000-0x0000000000406001-memory.dmp

Filesize
24KB

Download
memory/1504-19-0x0000000000400000-0x0000000000406001-memory.dmp

Filesize
24KB

Download
memory/1504-26-0x0000000000260000-0x0000000000267000-memory.dmp

Filesize
28KB

Download
memory/2500-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-64-0x0000000000030000-0x0000000000037000-memory.dmp

Filesize
28KB

Download
memory/2500-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-46-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-39-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2500-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2960-0-0x0000000001000000-0x00000000010A8EE5-memory.dmp

Filesize
675KB

Download
memory/2960-11-0x0000000001000000-0x00000000010A8EE5-memory.dmp

Filesize
675KB

Download
memory/2960-1-0x0000000001000000-0x00000000010A8EE5-memory.dmp

Filesize
675KB

Download
memory/2960-17-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/2960-16-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/2960-62-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/2960-63-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/2960-3-0x0000000000840000-0x00000000008E9000-memory.dmp

Filesize
676KB

Download
memory/2960-8-0x00000000010A3000-0x00000000010A4000-memory.dmp

Filesize
4KB

Download