Analysis
-
max time kernel
96s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 01:40
Behavioral task
behavioral1
Sample
084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe
-
Size
274KB
-
MD5
084b0e0d9ba4905509b88aae7371d9ce
-
SHA1
588f931ea58470b55b54cb68f0439d77bf3ace00
-
SHA256
f8158de1bdae482f1550ec4dce629a83fe36855cdbbe3b83df25f92cea93b4eb
-
SHA512
cf62e7c76e1aac4f7190b124c0957650946c9e14f9c1a8b84540d77a938713cf6b23584adcd56761bb217a0828266ab7b05f5c461e48997284a965e443ee5f77
-
SSDEEP
6144:pf+BLtABPDdtNoC56e3zJKiNp41V6GIeyXiRA1D0Vtd:ntqe3zJK6Y69eyXH1Dod
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/874203276105646101/5nzbSE8EceBOwJOrwMPVirH8jtpIQeEz0qVvjd8kcIpKCmQx_CmuWLlLT2qSd2VvURKc
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 3 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4648 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe 4648 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe 4648 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe 4648 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4648 084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\084b0e0d9ba4905509b88aae7371d9ce_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741B
MD5c17d8e6c2dc0bbafab2707e39fc01ef8
SHA10efdfbfe81bd4a6b259dc17df312064f3fd1c38e
SHA256cee64e3a236084aa18c9a2941f3af7ecc483070858a01ae1950fc4070fec2b2d
SHA51283831b04961674037d21f88b9431994e7efc873607f7bdf9821760473a911d5099f03f0ed57e2f3abf2a719a76b7763a8447c2c699087d2a60d6e34a6966c62e
-
Filesize
1KB
MD57c674cb6c3cd3b1e95c07ec0ebec6fb8
SHA152d2a5a1a5988f48a709c807875d72c599b9992e
SHA256833d3b01184fa8f93e573b8ad4a98c963cceb119927fc7d831da4fae1bc5110a
SHA512d622aed9a5af1b40419a0446904b6305658472b91426a4d512620fb455a156d47c63356c4ca71a061c5115291c97a2f9bed4c4c2377b3f4447a7ba40b2ef66f3