25a4fa19259b45e9b69407c0d5da45e7791d539cf979f3cce356f9f51d3ee8d8

Analysis

max time kernel
129s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
Size

716KB
MD5

ffaf769db6529797074dd284d4f64921
SHA1

d8a2b1324791d94fa65be8885e27ae7299b13335
SHA256

25a4fa19259b45e9b69407c0d5da45e7791d539cf979f3cce356f9f51d3ee8d8
SHA512

71586c3c96869e1132aa2fba4821f14002866b1c0da170799371e5080368d376280ccd810e6f77334957e1d301fab638bca661f8de541858d8ebda575abfcc58
SSDEEP

12288:RdYEMsPUaZ/20Eyr3O11HU/sR23VjY91iU13oFw5iAlL40:RdYENPPlEa3KF4iKU13oGy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX94BF.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\RCXB45C.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\RCXB6B7.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB726.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXA947.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXAA74.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\RCXC0BE.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RCX8735.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\Journal.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RCXB1C3.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RCX9158.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX89ED.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCXA6CE.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\RCXB8D1.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXAC1F.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RCXB7F4.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXAAC3.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCXBB89.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXCC4F.tmp	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.ico	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.exe	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
1892	ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCX83FF.tmp

Filesize
712KB

MD5
59724ac3f4d410260ec62287f85ea8d7

SHA1
71fb457bbc2c1543d6feea4725106622c5f3a4e7

SHA256
d037fb8e0130bfca632ac1d46f6586145661f3cf586d1f5c44532294a080a2e4

SHA512
cb0fa5df1a9b7805d05263cc5215ff46df50cf8025587cdf773722020d193b50ac6919d9acc864a122ce2d7477f5b5d52ae2bec4cd43dd395ddc1e35a4a067f7

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe

Filesize
881KB

MD5
b68c2e5abd98c5ac6c561cf1df269e5e

SHA1
7b12d3008d108ee1d444c1434167734fff5ce475

SHA256
4ab9f1c685d83e1063d2bee0453074b25847ebb812dbd975eefa6adb0c8a8edd

SHA512
6591d784dee79befe4dbe80775f1697660cf68c3d3f8b27f46d524c3d8f380c2f5ef71841d4efdbdad89fb78d60266fd982fec7d009654c7c94a4b2676c6d377

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe.ico

Filesize
3KB

MD5
767c790375ac69986ed160fed75b8c20

SHA1
c74bb1c047f8bd10a639699af31b048c43292a2d

SHA256
b6ea1ea633f0de0d44d899e11564e3f1ff018c9dfb849ad40e65349343465801

SHA512
ce795d7b5cac1393598c11f18ad537007c9703a734ef1806a930aa24eb18534bf8f11811d03f0c188a7254361eaa484fa77818b6962b2573a1d5cebb073ddf5a

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe.ico

Filesize
3KB

MD5
b5c34fc5e0e1d40dda9859593349841b

SHA1
551b6657f2b2f2699503e54c7f146de61c84f7f0

SHA256
ab227a7dff0fb5720f363bfd67fd4e203fc99c62c13b18c841b5beb5d0bae8e5

SHA512
d78ce8736d1f97ea17fc07ad2ec329215b542cc321d39622052b18bf783913d3e5a24707066e178ee7b1347a680ab158fc1ee998b553693796e84637a6fbb2e9

Download Submit
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe.ico

Filesize
3KB

MD5
70f7eb6f0e42805134583ac203c2dfd9

SHA1
fc513300d133a9b8a45da81a72a10b937e909190

SHA256
3d275500cf3ebda5e878d81dcbbaa53528397ccbe631aae8fae60de1ffefccf7

SHA512
bf3126bfc018c3890afc1a105db52b9b332ed24228cf1a8e1df715287ad51161ff3fa94c88ef2cbcdda9a10bdc992691b9171fa07cfb2e8b71c35d12605a1179

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE

Filesize
1.4MB

MD5
0561d77babd55f1403ba8c77819159f3

SHA1
eda2448d3934359f8db0b71866a66712431a9d4f

SHA256
cb3cbe888bfe0973bc196a2dd631804e5c7654f97ce516eac8c680459fa27c99

SHA512
c98738f03a848b25f092b21f135072c1eb09f801297533a7014c5a795f64874651a00a773da51b5fdbf31111f294adf2ad82a3de336201d215e45a9c6e2e3279

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE.ico

Filesize
3KB

MD5
898a86d149560e1e17cbac99d14c3359

SHA1
2172174e7d2c8ba0908fa88bc98482efb411c856

SHA256
e64d8d738f20dcb38d4430d09edb482802a9c776bdc7775699732293b21f387a

SHA512
1ce2422d3b973da83535ba6e1ad38077b15916d5893d24093925c3ceaf36e56f91d5ebf136b80dcc0baff8365a131a5d398de5e0b9bdcc0b31812ee5035aaa3a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.ico

Filesize
3KB

MD5
c368c506d783deba3f713b1d9def8a9a

SHA1
85491a719040cd648b4e59b7015ad3c6ce18c865

SHA256
76a9004a5c7b39801bdec8382ccda8fe94ea5aff0814fb702342f3cfc3825ecf

SHA512
6ca5dbfce7ab6c1ca69c0a2d5c54b1b8ad08ed68eb7b1369c0304a9e1a22df69c3120fd59122a8f4e2bd42d84219162ce4a42ca51965b514222ccf47d9838ce3

Download Submit
C:\Program Files\7-Zip\7z.exe.ico

Filesize
3KB

MD5
a1c23e8a6cb2d6609531c6d7f33f1ee2

SHA1
aeb4a0a2803d22951925a71ed5861b04a2fb1a14

SHA256
a02154034351a96084c018cb571f89f1858653d7bda257bfb57f2dbd3d189472

SHA512
e040cd53c2ed1e0bae6ed7598a823bb487b52cf164c84ef81384ff28f908203c0608707231d18f02ee6268079310899b152332cd0dd3cfaefd4406a871d03cc7

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe.ico

Filesize
3KB

MD5
9b001d081a779a1e1841bd4f4799fa6c

SHA1
8841e991c9cc07e6972d9e52636ca907ba2377ba

SHA256
3158513314ec77556292191919ce13df9903f2b5162a7c2b394271118c6d67c9

SHA512
04f4fe9d6767220bcec26a78a478ba3671bd667cdd06889e655c83f6caa3c52143fc888400a9d823669264d08332f310c4a722679fcb7c1f03b9be52d92b3679

Download Submit
C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe.ico

Filesize
3KB

MD5
42bcec3e98359774dc3e6c4f286f2a29

SHA1
60d64a4eef136d68840c47f6b4b123bf2d27a816

SHA256
e1cea795a25829032e1f1c4bf63e9820e4d0bff4a984b04d1ef0f1e1be283360

SHA512
a1afbf90d7d9a76d1de34070e878af26ca427b6e9b8f41f54029fe25affd9b7670c42609e56561064edcefe8cfad81a531dad880d1c46ca29cbf00cc95d8d3f3

Download Submit
C:\Program Files\VideoLAN\VLC\vlc.exe.ico

Filesize
3KB

MD5
0ce9278565508d661035efd0f7d36eb8

SHA1
680c603c0a192e1a7368a0b460dff76c813d9cb2

SHA256
35b828914be90a2b690166a88ed02e2698d45dbd490a792d04ac84bdee11d0da

SHA512
7567d74a13f6b6b8da16577a6aae0fffd475e73e085e292c8791111592c71f250037b9288a76a7fcbf9b30e318bb12c51a83f1a79937f3117b9d9c2beaca5888

Download Submit
C:\Program Files\Windows Media Player\wmplayer.exe.ico

Filesize
3KB

MD5
2e1ab871b24b664b43cd7deb467e71ac

SHA1
814f4e6bb28f02305106f36887666e71efc6e13d

SHA256
71dc4da64ff2a7c1e04d43904e45307d2c8bd85ce3c721533b8bef1b358b55a5

SHA512
c05f4695f2571dea59f3bf26e7f1d47dc3f6bc4bc9418df73af323276ad690fa2592bdf02a248a0a3241d9bf87198bde944ace66e5d6f9a6f5c6f549f1798ac3

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe.ico

Filesize
3KB

MD5
f0bcceefca16469328af3c931e1f0fda

SHA1
bd0947e61ea35bb746355b5cd155b8e6aab72d21

SHA256
0665e47f543fa6389be496605f30cf4ce96e1f2d305080062f83c738daa8387c

SHA512
19be763d79cd790b7c7b605d637018cf555a905de121ac3f031c0c730da11b80f5aff1c4b28fac2b85011be02cb8759992bbd6dc68572fdc031eeccf5dd2b477

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffaf769db6529797074dd284d4f64921_JaffaCakes118.exe.exe

Filesize
8KB

MD5
42ef186ed40ca7e162c75f1e59d1b695

SHA1
681514d355863f5170263b5e2cc6c505428ebe97

SHA256
9f217938cd9bdc9792f9b029cf3ee530b4427c2d0cc2eba7a5ff1dc39695a53b

SHA512
d500404de611b707b3ad9c0868454cff3b31c0576686e2e1afbb21a9f2066283e8027c66b2548f7984a4645568a004f0771e685e7d556b0a593a3eea2382f8aa

Download Submit
memory/1892-1664-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1892-0-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download