de5dd5037552ab87ca36fe6722088d4f7a3425d1e9ef7cb0b5ce6f5598dacb6f

Analysis

max time kernel
95s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe
Size

80KB
MD5

fe3a3c785f3f6cbeec9205b2a7dbcc3b
SHA1

85d9bbb396d3a698e2597c5a937be4ff567f8a3c
SHA256

de5dd5037552ab87ca36fe6722088d4f7a3425d1e9ef7cb0b5ce6f5598dacb6f
SHA512

7a4b04ac8d09581f555c3d2ae94c98a7e5e21363d50dc773e8e5ffe4dd92c9abeca55989b83bce4b5c1ea79d9cf1fd969ac7889b8cf23a45103d7f34937af337
SSDEEP

1536:X/GUG+QX+HmHYSZqHx2nMdcmwkc21JUEbooPRrKKR:Xc+QXoQ/ZscnookL1JltZrpR

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2164	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4308	fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4308	fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe
2164	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2164	4308	fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe	89
PID 4308 wrote to memory of 2164	4308	fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe3a3c785f3f6cbeec9205b2a7dbcc3b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308
- C:\WINODW\system32\svchost.exe
  "C:\WINODW\system32\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINODW\system32\svchost.exe

Filesize
80KB

MD5
fe3a3c785f3f6cbeec9205b2a7dbcc3b

SHA1
85d9bbb396d3a698e2597c5a937be4ff567f8a3c

SHA256
de5dd5037552ab87ca36fe6722088d4f7a3425d1e9ef7cb0b5ce6f5598dacb6f

SHA512
7a4b04ac8d09581f555c3d2ae94c98a7e5e21363d50dc773e8e5ffe4dd92c9abeca55989b83bce4b5c1ea79d9cf1fd969ac7889b8cf23a45103d7f34937af337

Download Submit
memory/2164-30-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/2164-26-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/2164-28-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/4308-6-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/4308-5-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/4308-0-0x00007FFAEF545000-0x00007FFAEF546000-memory.dmp

Filesize
4KB

Download
memory/4308-10-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/4308-12-0x00007FFAEF545000-0x00007FFAEF546000-memory.dmp

Filesize
4KB

Download
memory/4308-13-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/4308-4-0x000000001C1C0000-0x000000001C25C000-memory.dmp

Filesize
624KB

Download
memory/4308-27-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/4308-3-0x000000001BC50000-0x000000001C11E000-memory.dmp

Filesize
4.8MB

Download
memory/4308-2-0x00007FFAEF290000-0x00007FFAEFC31000-memory.dmp

Filesize
9.6MB

Download
memory/4308-1-0x000000001B660000-0x000000001B706000-memory.dmp

Filesize
664KB

Download