Overview

overview

7

Static

static

3

fe4a4e8e59...18.exe

windows7-x64

7

fe4a4e8e59...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe

  • Size

    311KB

  • MD5

    fe4a4e8e594456960f7abf7838a7133d

  • SHA1

    153996e2f4523d187c6b1e7f4c1d2e3ff99fe53a

  • SHA256

    afdc6ad352071c74d625db103fc29d683c0d435e59a583105365c95b1f2707f3

  • SHA512

    18319e0ad5b5c0de22ac4d4302ee29efc026291cc470912d40fe0b2ab9aa36fce6978dc053108684c8c3ffda87427400e2f9abe0b90b74fa494617e4fa32d2df

  • SSDEEP

    6144:P53mOE5G9LNFeDcl99RxyojknbKKadPsNlTJZbTzJ2:P5eaz3jJK2PkbTzJ2

Score
7/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe4a4e8e594456960f7abf7838a7133d_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 692
          4⤵
          • Program crash
          PID:4920
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RAPIDS~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RAPIDS~1.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4532 -ip 4532
    1⤵
      PID:4028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RAPIDS~1.EXE
      Filesize

      176KB

      MD5

      61e747a56bca834dba7550f01508bb94

      SHA1

      77e25940abe03f15b789dd47621ea817f750cc42

      SHA256

      b3f11767bdff36b2e5c6873d6d9b1e922699bf8ff83cb9fea18cef15c2f87ed3

      SHA512

      c56fb3ec5f69191a66be4e0db018ffa6a49f29da3a55925347a3fb4dfb7bc027e876e91a027107a91bf682c202ad30767760d4b4866a1d51f68f5f9d7307fd25

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\asdw.exe
      Filesize

      148KB

      MD5

      c5553d50594fb72ba38e92b16ce80a1a

      SHA1

      6f8928146df74805a719ed1bef3b36f40f4ae7e6

      SHA256

      b513136f4ff5618e10d61cbb59f524e6086c21bd090860a9d4ec26332ab5dc11

      SHA512

      cd178c19f5ea0721c1b55766ee6d1e0303a1141a91b089d855694c7f2e34a3a5eca5386cbf5d9971f07dd15a05dd7f21c76187b3fe8a2ef2e4d6073f7cef5641

      Download Submit

    • memory/1856-16-0x0000000000400000-0x0000000000406001-memory.dmp

      Filesize

      24KB

      Download

    • memory/1856-10-0x0000000000400000-0x0000000000406001-memory.dmp

      Filesize

      24KB

      Download

    • memory/4324-2-0x0000000001000000-0x00000000010A8EE5-memory.dmp

      Filesize

      675KB

      Download

    • memory/4324-0-0x0000000001000000-0x00000000010A8EE5-memory.dmp

      Filesize

      675KB

      Download

    • memory/4324-1-0x0000000001001000-0x0000000001057000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4324-28-0x0000000001000000-0x00000000010A8EE5-memory.dmp

      Filesize

      675KB

      Download

    • memory/4324-29-0x0000000001001000-0x0000000001057000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4532-14-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4532-17-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4532-18-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4532-20-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4532-26-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download