52865747f5f537ef2df75e2492adaed1153aeb5d39186bc8e56bb706c70deed9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 13:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

018077f287faf0391560a5f827728921_JaffaCakes118.exe
Size

194KB
MD5

018077f287faf0391560a5f827728921
SHA1

93145b069301cd489a828e7bc688829c819048e5
SHA256

52865747f5f537ef2df75e2492adaed1153aeb5d39186bc8e56bb706c70deed9
SHA512

449dd073d6a8e0e244544db591c6a01ba350f6d955c534f68622da37da0ee30a33846a52cd17e7bbee9560e35a46d6f94648b85451f1f4de1d82f52f5fc014fc
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUUF7RT8AhL4ZITgt:h1OgDPdkBAFZWjadD4s5F7bhL4ZIMt

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000018c05-48.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1724	50dd80a543c4a.exe

Loads dropped DLL 4 IoCs

pid	Process
2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe
1724	50dd80a543c4a.exe
1724	50dd80a543c4a.exe
1724	50dd80a543c4a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018c05-48.dat	upx
behavioral1/memory/1724-51-0x0000000074CD0000-0x0000000074CDA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	018077f287faf0391560a5f827728921_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50dd80a543c4a.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016d21-16.dat	nsis_installer_1
behavioral1/files/0x0008000000016d21-16.dat	nsis_installer_2
behavioral1/files/0x0006000000018c31-54.dat	nsis_installer_1
behavioral1/files/0x0006000000018c31-54.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1724	2512	018077f287faf0391560a5f827728921_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\018077f287faf0391560a5f827728921_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\018077f287faf0391560a5f827728921_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\50dd80a543c4a.exe
  .\50dd80a543c4a.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SaveU\uninstall.exe

Filesize
48KB

MD5
e9c9582996a23b2a49a058dcaa3b5525

SHA1
f527cc64e759f06c011e5eeffbd217d5249c04df

SHA256
43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9

SHA512
665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
624e3b4d6007b76197ebf979f8661402

SHA1
edbf4ce4784cb7c291fde837aa8ad7e24a2a8be2

SHA256
625f19de170f2472ad70dd8385da87abddd3cdfd479b2202b405b00aef17c69b

SHA512
63760a8777ad919335d8965ad0169871823d9589cce31f321827b93444113154af81bd74b464ebe1f91da8ce6feeee2eb08134e11defdbb0db4fd5575296a37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
2d56c4c421017239d6b1f00e891ffa56

SHA1
5acf3341e7839c36d4b632e63eaff0d20e49ae9c

SHA256
65815625ed8b418d7fd7ac840ebbd48b7ff25c17a4598024a21cd1886140754a

SHA512
589c98b359b4a7221d38f9d455f8815e772087cdaf15911c558b1b3973691d76eb43b68a25203f3f1d19aed14a4ce73a1cd0ef27355c35040c93a7450a59b5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
4f250057c1c6f29ae03c28fdc9f1fd1f

SHA1
67fed4b8e876c3529fc903814a8a4f50d935b3a3

SHA256
1b035119c6ea55b4d2197cba43855d776d0b2ef0ffd5637daf47d62c40834e9f

SHA512
814dec99a3342d4de09dd81b899b38a78ce60c4ee92a19bf6df516f9e6800fc73c2cc031b026197cd65634abef3f5c7b80e35e88191cb28093815e0257c63ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
fddfb4cba409c14e7644f292ce793491

SHA1
d72180ee8758ce51c050c9519859044d658ce2e2

SHA256
d45b3bb4f5690ae4c94fcd277d444d400776e2d7687b8d45d40b823bb7e2ef91

SHA512
b4c5d92744d2c77bf96fc13edb501fb86652ec1d78d575c673c9297971c4d6ed836e339e90ddbab294a0fb662549dfa6655d91aa73aa706a2545fb7903291605

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\[email protected]\install.rdf

Filesize
697B

MD5
2c2ee2ef7e431896839aee1c31ada75a

SHA1
6b5e9430eb946498128a941792b6f7f43109a3eb

SHA256
f5d715e8ffdedb2530ad929cc28acd71b5c046cd24b4a8f19723f12bccebf702

SHA512
3dcb7cc58e31ae21e1b1afdffc7c760c45e716ad2ecc142bfd9fc80ec1f83f31375fce3baacd0716f84dc5ecf0336332141e28852cdfbab787b2b3ce3739908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\icndfflceblepieolgnnjjgffidafdmk.crx

Filesize
8KB

MD5
a1b1da949677b8943e3e33dc28cddf3e

SHA1
4e831e225f3fdb23533b47a50aacae2cf931c311

SHA256
db5a545f7dfcef6b829d4837c6e1918cde7f9e71e4d46cf6a5cb6261f7bd9c88

SHA512
cb6a257a746470d44f6ac8982d6dbcf07e33e0759a218c4d339041de8c1e4620db662a4fa337291895bffd2624b510167beb66240f1565f98751420747a4ef2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\settings.ini

Filesize
699B

MD5
6934d13a05c4b9293ec7410f33a55392

SHA1
5cae690272dcca01f983ccf6bf10f6f826b2c3af

SHA256
f32bf7606aab3c88f9dd062c79901879e2f22460909f91d7520c984c7c3aa1e2

SHA512
54eeb271f2ab514a90248dcc6b72a6a28f4ec957a2211697310b5ce9d0a7d73c72889217993bf92b0116d84ceeb7f770658aee7727800e2d3a481c0b41928ea7

Download Submit
\Users\Admin\AppData\Local\Temp\7zSDBED.tmp\50dd80a543c4a.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
\Users\Admin\AppData\Local\Temp\nstDC4C.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nstDC4C.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/1724-51-0x0000000074CD0000-0x0000000074CDA000-memory.dmp

Filesize
40KB

Download