Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 18:54
Behavioral task
behavioral1
Sample
02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
02ce0f50156c5f50b5126e1185c09f81
-
SHA1
5ee2c81a6d3a69c760df9afea14f90f897186398
-
SHA256
8fa095b2a5d9876f09f6275545fe61a06b51ba771f2ee2d873b2914a63243a70
-
SHA512
a9bc358b6276cb3fdb4aacaf4fb870277045fcc3cc798637b5b178ffeaf1c68b51122c1cc9f7721b7f6d06bb575e780af35ba9bb722c94fd73f16b43db85d1b6
-
SSDEEP
24576:FHhoAjL7/hhUF54clNf7lhhUF54clNf766uHAW92zt/sWu2BSMCqD0RU:jLto54clRo54cl8LH+tkWJ0Xy
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3432 Decoder.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com 3 api.ipify.org 4 api.ipify.org 7 freegeoip.app 8 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Decoder.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Decoder.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3504 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3432 Decoder.exe 3432 Decoder.exe 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe 3432 Decoder.exe 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe Token: SeDebugPrivilege 3432 Decoder.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3540 wrote to memory of 3432 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe 83 PID 3540 wrote to memory of 3432 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe 83 PID 3540 wrote to memory of 4560 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe 84 PID 3540 wrote to memory of 4560 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe 84 PID 4560 wrote to memory of 3504 4560 cmd.exe 86 PID 4560 wrote to memory of 3504 4560 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:3504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD568c7ffe6b21070033a4c56d09fe53283
SHA1cd441c5da6de0c158f041bed572ebfaac4a6fce4
SHA256d5022dcc2534b018c7f5c40aef6aee24985a52582fec61932e0eb6b88f0ac01e
SHA51277307445e3080e90972abd5fcf802291d9decb4c7aea718d4843dcf1160eaf3b8940bb4b1d31f2c396e41ff3b8671e2b3e17aa79e1acec74ac823a2afbd573bb
-
Filesize
85B
MD573712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
Filesize
114KB
MD5db26309558628fa1ef6a1edd23ab2b09
SHA19bfb0530d0c2dcc6f9b3947bc3ca602943356368
SHA256e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070
SHA5124171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
C:\Users\Admin\AppData\Local\VFuLuZNFHXTJ7007F1AA54\547007F1AAVFuLuZNFHXTJ\Browsers\Passwords\Passwords_Edge.txt
Filesize426B
MD542fa959509b3ed7c94c0cf3728b03f6d
SHA1661292176640beb0b38dc9e7a462518eb592d27d
SHA256870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA5127def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007
-
Filesize
710KB
MD5d990ba8dfb9bce4cf1a9ecff5230baa3
SHA13602a632d5ff7f607f7c459f2bc5afddd4ec45d5
SHA256b08e18876518ad0d9bf796fbb2d4c00f5e54dd271178568665321aa34e46e9d1
SHA512f1d1bc3d81e57a3e3569026caa3b932935591cb08fa97d32f22f6a40461860e08468f106de840a73b70a474a5b7cb7b1b61ac7f512fc173aeb0852b9fb783787
-
Filesize
772B
MD57ba2edde542fe70f7829ce67177c5d77
SHA130b89fa45a0767da5c8722b1f8088ed6e13499e5
SHA256be722090f828277b43bc2bd83c4ee703da4dbeb56afa8391a9ba1881e58002eb
SHA5126260de75b8300a35ea09be8728198c0b8d4a7cb1327d21a54bf34818103ca403fb757d82ac6b36212f7520445b7c8ffa2719ae473c4df3b886d9191f2d98e48c