Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-09-2024 02:21
General
-
Target
ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe
-
Size
3.4MB
-
MD5
ffc21cddf522b1800d41b4a41da2c24e
-
SHA1
bdcbe7b199cb8531b2262c37d3e535ffc5aa72e7
-
SHA256
7a97516b3a8eff94b12dbaa5538373921f076b13ac3865d3299749a701510db6
-
SHA512
9479f902ee5a70bc76a44e418a9a012024ba88dcc8f7b02acdb414f61516bfe0e5c41c2f52f591b8d201612b26021d853a68261eeb6c072dcb969d270e7b5079
-
SSDEEP
98304:oTLr/vwnSlGuICx42P2ivKIrZzOMIobLCWe0M+v/1:o3rGcGskinrZ9CQX
Malware Config
Signatures
-
Panda Stealer payload 1 IoCs
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ffc21cddf522b1800d41b4a41da2c24e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS73D8.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zS73D8.tmp\setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{48635C47-1EC6-4098-84D0-6BFA7D0FA2F5}\setup.msi"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD52a50c768bac9bdf52a17e76a460f773f
SHA116cb647bb958accc08f234d9ee863129e3523ff2
SHA25696482c24aaafb06bfa1088c1229ab63f894b85bef6e59ebcf3f58ac09adcc4db
SHA51294e9cb872ba9c8f9d1560d82edeab049f4201a0604fbd19f007b63878f9e34e3d5225fb1a6eeee01e1c1b613ea152cf5efcfd24528b917c08296093d2c6e6b17
-
Filesize
37.9MB
MD5828a74f2ccb3696812c6611e4cc7dc72
SHA1a1bab8481bde5d3cdd7d9e0f79f60b6117e2cd39
SHA2565547b0adb8ecded3f22caf89e20aecc5672fc99312e98f360857613388eb9c67
SHA512a13297141dcb0b08f218aa39ba9759177b46c99038f4894fa3e73abd9fd6583d135656accf43a2e5beb69325d4e363e05f5e7bb7e74d5c70c4d63a77a8ea44c0