aea492182ac46cb4b0a4eb5b309257aa71fa63d7eaad740b9085eb2837a6e50f

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
Size

470KB
MD5

02a865b167b5088f909441f34eb46dd8
SHA1

ad00d83f7dee2404846a0ec338b7cbc3c70961ce
SHA256

aea492182ac46cb4b0a4eb5b309257aa71fa63d7eaad740b9085eb2837a6e50f
SHA512

b223850833ed96816f0b494bfa3264a8ba92bb820ff5078f1b31179acda691a6ed72f80618bdce0ce916fa248e0be4de88f0cfc81bcfb853e89a1c46922a7963
SSDEEP

12288:5F5uZ3eVh7Gxk7Mef6chlgO3vw/4La/SXgHzMDVlt:5qeVh7u+7fPgO3Y0QzM5

Score

9^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2328-30-0x0000000000400000-0x000000000041D000-memory.dmp	Nirsoft
behavioral1/memory/2912-61-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2328-30-0x0000000000400000-0x000000000041D000-memory.dmp	MailPassView

Executes dropped EXE 2 IoCs

pid	Process
2328	BE41.exe
2912	D29D.exe

Loads dropped DLL 10 IoCs

pid	Process
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	BE41.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegistryMonitor1 = "C:\\Windows\\system32\\qtplugin.exe"	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\qtplugin.exe	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016d4f-12.dat	upx
behavioral1/memory/2328-27-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2328-30-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x000a000000016d4f-35.dat	upx
behavioral1/memory/1908-38-0x0000000002100000-0x000000000211B000-memory.dmp	upx
behavioral1/memory/1908-54-0x0000000002100000-0x000000000211D000-memory.dmp	upx
behavioral1/memory/1908-53-0x0000000002100000-0x000000000211D000-memory.dmp	upx
behavioral1/memory/1908-50-0x0000000002100000-0x000000000211D000-memory.dmp	upx
behavioral1/memory/2912-59-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2912-61-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BE41.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D29D.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
Token: SeDebugPrivilege	2912	D29D.exe
Token: SeRestorePrivilege	2912	D29D.exe
Token: SeBackupPrivilege	2912	D29D.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2328	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2328	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2328	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2328	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	30
PID 1908 wrote to memory of 2912	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2912	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2912	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2912	1908	02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02a865b167b5088f909441f34eb46dd8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\BE41.exe
  "C:\Users\Admin\AppData\Local\Temp\BE41.exe" /stab "C:\Users\Admin\AppData\Local\Temp\BE41.tmp"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\D29D.exe
  "C:\Users\Admin\AppData\Local\Temp\D29D.exe" /stab "C:\Users\Admin\AppData\Local\Temp\D29D.tmp" /no_pass_cred
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BE41.exe

Filesize
47KB

MD5
58a96adf790b82bdab58cc501f3a1318

SHA1
ffe5f1d9a3e09b5311e823f562043fd31cfe6738

SHA256
4e38a0fc72a1f6bb32f78fc78ab925e12a5be19794c90e428a632ae79d719d36

SHA512
9cac2e5a7e60583cb9e8c082e0db7d734b9417208db525b2297706bb62b22fedc2cf8bbc2e4c85efba28a7eb92221453df95a8ad4b8439ece789d5255ce4014c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iepv_sites.txt

Filesize
186B

MD5
762c597cbf0458242b32a770b29830ab

SHA1
079c64621c88414e9e59239eec0c789c0071dd68

SHA256
efacaa084e12cf26bc25ad83742b6ae9b1df4a537f13df802563af2270462cd4

SHA512
c0c4edc550b8f1fc36ef74b233b0e85a3669cb913057b4854d99d517554b6a8d17201938e7c3225eb6c87e9eb3277c9044f0013f28bd27bd644ee8fd5802d661

Download Submit
\Users\Admin\AppData\Local\Temp\D29D.exe

Filesize
42KB

MD5
28c110b8d0ad095131c8d06043678086

SHA1
c684cf321e890e0e766a97609a4cde866156d6c5

SHA256
dbc2216d5f31f5218e940e3d802998dee90eeb69af69cbeb063c69c6a5a3f1e1

SHA512
065e043b76b0e1163e73f4a1c257bae793ae9b46bff1951956c2174ef91deb2528730da77aab76b9e7246d705c3b8c1d23f05dc3b161cacabf3e52d0f563c922

Download Submit
memory/1908-53-0x0000000002100000-0x000000000211D000-memory.dmp

Filesize
116KB

Download
memory/1908-77-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-15-0x0000000002030000-0x000000000204D000-memory.dmp

Filesize
116KB

Download
memory/1908-25-0x0000000002100000-0x000000000211D000-memory.dmp

Filesize
116KB

Download
memory/1908-24-0x0000000002100000-0x000000000211D000-memory.dmp

Filesize
116KB

Download
memory/1908-82-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-50-0x0000000002100000-0x000000000211D000-memory.dmp

Filesize
116KB

Download
memory/1908-29-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-81-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-5-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-38-0x0000000002100000-0x000000000211B000-memory.dmp

Filesize
108KB

Download
memory/1908-37-0x0000000002030000-0x000000000204D000-memory.dmp

Filesize
116KB

Download
memory/1908-36-0x0000000002030000-0x000000000204D000-memory.dmp

Filesize
116KB

Download
memory/1908-57-0x0000000002110000-0x000000000212B000-memory.dmp

Filesize
108KB

Download
memory/1908-56-0x0000000002110000-0x000000000212B000-memory.dmp

Filesize
108KB

Download
memory/1908-55-0x0000000002110000-0x000000000212B000-memory.dmp

Filesize
108KB

Download
memory/1908-54-0x0000000002100000-0x000000000211D000-memory.dmp

Filesize
116KB

Download
memory/1908-4-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-28-0x00000000004E5000-0x00000000004E7000-memory.dmp

Filesize
8KB

Download
memory/1908-14-0x0000000002030000-0x000000000204D000-memory.dmp

Filesize
116KB

Download
memory/1908-3-0x00000000004E5000-0x00000000004E7000-memory.dmp

Filesize
8KB

Download
memory/1908-80-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-65-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-66-0x0000000002100000-0x000000000211B000-memory.dmp

Filesize
108KB

Download
memory/1908-67-0x0000000002110000-0x000000000212B000-memory.dmp

Filesize
108KB

Download
memory/1908-68-0x0000000002110000-0x000000000212B000-memory.dmp

Filesize
108KB

Download
memory/1908-69-0x0000000002110000-0x000000000212B000-memory.dmp

Filesize
108KB

Download
memory/1908-70-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-71-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-72-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-73-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-74-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-75-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-76-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-79-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1908-78-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2328-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2328-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2912-59-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2912-61-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads