Analysis
-
max time kernel
96s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-09-2024 10:23
General
-
Target
fe5302bba9df06cf475640244474f020_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
fe5302bba9df06cf475640244474f020
-
SHA1
9b3709925811bb759047209a183ae6b1a5424462
-
SHA256
0382d5a4514cea3a47d9d4fac22605cb246f33f90613c805772d4e2236f4fda3
-
SHA512
6337c089a3a198a585d379605c65b55c4025806d16c9432a537d7f0d7836a9f45d1c7b003089616c9306a1111dfd284382ae25025c34d6fb7881edc0b7b350bd
-
SSDEEP
98304:P+cZyY7EmZTubjvsTowt/OyJ2KEJWOaT0:PFEmZAjvs0wJjYMK
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe5302bba9df06cf475640244474f020_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe5302bba9df06cf475640244474f020_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcca9a46f8,0x7ffcca9a4708,0x7ffcca9a47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,3865667523331963979,18325257810535837515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,3865667523331963979,18325257810535837515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,3865667523331963979,18325257810535837515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3865667523331963979,18325257810535837515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,3865667523331963979,18325257810535837515,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://127.0.0.1:134412⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffcca9a46f8,0x7ffcca9a4708,0x7ffcca9a47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17738607957843649260,9134771042522977562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17738607957843649260,9134771042522977562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17738607957843649260,9134771042522977562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17738607957843649260,9134771042522977562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17738607957843649260,9134771042522977562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:13⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 29882⤵
- Program crash
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4524 -ip 45241⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
44KB
MD5396cf19c0caf614cecb6aef7251ccd0c
SHA13c7acd2e0cc4e6256f53b0311e8fc3574535e270
SHA25690d110008b50b06f3b5e980f97cb18d87fe41667c313d35fdb699b35cc16140c
SHA51286153d04d894c2a594083fae2c466f6901b89c910ef3109528271d62ba36fa70a3766210f19af4db48ea0b3a8ebc25c9f485aabf5799d48b188f23f2acd97a80
-
Filesize
264KB
MD5f45d69fe2bdc6d6299e276c914152f5c
SHA1ab2ca9ee5a17843ee3e8fc2fcaebb6fff200a12e
SHA25688f4eaa281ec2ec49061a32b02205ee558f02b075cd8add7b7927dfe1938c964
SHA512987336f547fc242855adc47243d3d2a395a7c68b88403c7fe1514aa4c321dc30b64315976c55a1d6b2c08406d4ac68bbdd143649156b614a4a5dca3086f0adb0
-
Filesize
319B
MD54b83b83b774bef1e0c7f90fdfdd9569f
SHA16621aa3b677257b498485b24c5f582d21d4bc645
SHA2566145e679763a9394551048957b0b882e2ae9daa43fadd87683824853260f137b
SHA5126876c16da83d38f990dff4571edcfec3ddc612397327cec3a6a22b65b563fb600265a8698e1f0ef080d1d4a784b132161e2890d3e5d9174dbf9e949abb641d0d
-
Filesize
331B
MD5cff066536523bdf9e40f3e2cfb892971
SHA16a73c02c25a7ebfc139cfa0a85ff04452bfb3f12
SHA256e6c831685a7ab8c835bea33735c2b54cff9565c2ed106992aace2232ff348216
SHA512e4ab047c0a85f66bd32fbacbefe7d2f082b2be0389db18869cd3aa4196ba3f14ae0ad2197f003be78a6e44cc5d26498cc838447613da0cf85fe90253ce70d825
-
Filesize
5KB
MD5d8f02573bd39c0e0ec599bfaed27dd47
SHA11d37b4b746c7d03ce5e696b35d1e5ab5a3782f21
SHA2564f0e57ffe41ccc79bd655bd3cd6ca959ffcb69ce1273202c1a0583716ec30f15
SHA51252c1cfa47f19e206a867dc6b75f203adbd22d630e3c81cb36706a7cb41af6478b45ff6d4a94753b13415ea8c8de13d1b04f5d66229e39b4b8e1fbd888c05f865
-
Filesize
5KB
MD5ffa5445075b47d361480f57f98d74d5c
SHA11ac72b83c61074cfd640a73f1631cee6ab157f50
SHA256537175e518d58b14ab870d82ca397d660f44fecfec303b9b7444e52ce7048e2f
SHA51200eaf3950e0966cc6e556bebf7a85cf0313304deed0141faf13f4a3af4e06a2c438a617538c855126a5612a3bcac0783713fc883d210a0e84f321b7b3d551c7e
-
Filesize
347B
MD5883b5801e54f44442c390f7ea4e5645d
SHA1acb9f05b6b9d7a00497283fcac8ca4697264242f
SHA25663e26bc9992bd14020a6531b822ef21554a48dec114860fd09c9a2b97b0abdbf
SHA5126a254df216cac6a946994aef18277db8179e6719718114d8240c8e2a9c97e6eb6674923b6117e0512ae5fb023173ead1c5178f461ba4b39b9e408a9ece46257d
-
Filesize
323B
MD5ec25f8462f81e93b965913ca0b149c17
SHA171328a8d50f572310eaa35bd31289569dfbb748a
SHA256e729c6f72b390c0a01ed622a39bda79e2618cfe13d15eb00fe001afa1dad3223
SHA512ba79d7b60d48f309aeecf0bc42aec055f43997d90236a45bd742c51e390c911d0635d6f42478ca2e17aff134dcfb209507db1ca64400c8fd393d42d62ebae2ce
-
Filesize
16KB
MD5f01ea58752b3e21218689c87973caa8f
SHA1300084e3438dec00be90ca8653e7aca892b3d1b4
SHA25603721c510d7cce9344e583b79560199fe2d80b87ca153531855750e046cb3d27
SHA512b4c045c812188ece339acd0afe98885fa8c628e0b73d71dcecb57ec5c181e82fa58bf01589f51a8323733537e90fb940cc2f3bedf654f17f2a2282c13d061f5a
-
Filesize
319B
MD52fce10bc2088c1a69f2bab1d9d51c3fd
SHA15272d0b3625e4c897d96c0ed51057e22923c4cb4
SHA2567d1732cc5488cd41dd60df472114afd97cc6e60ae59a48ce6fb5f548e547d4f4
SHA5127dd243316411e08453fca17cc1bd6cecf4f7177557ab04144184f33308f2f98b602d2a81d19deaf204da651dcd03de6990114a83bbef57f2891a3c6f9fed3dd8
-
Filesize
194B
MD5a48763b50473dbd0a0922258703d673e
SHA15a3572629bcdf5586d79823b6ddbf3d9736aa251
SHA2569bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd
SHA512536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1
-
Filesize
337B
MD5fe5a62868840a66ddddd81da51b7cc95
SHA13684717c9199731782df78a2f28bc8e390987d10
SHA256b1037a4bd40507d3a1689c53c38ab08e7d939bf6eabb8557793f38a7ba2cc905
SHA51215a1726f48122cc2db6d8a16b8803822b48752b1e2da235fdd5942d0f0fe26ecce79388fa9f9524a4df19856d319844891cdc070db6e4998fd6a87e86d50a0c0
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
8.6MB
-
Filesize
960KB
-
Filesize
472KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
8.6MB
-
Filesize
584KB
-
Filesize
960KB
-
Filesize
8.6MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
5.6MB
-
Filesize
8.6MB
-
Filesize
960KB