Overview

overview

10

Static

static

3

083de2d2dc...18.exe

windows7-x64

10

083de2d2dc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    083de2d2dc0be6af200ff93e0e1bf107_JaffaCakes118.exe

  • Size

    379KB

  • MD5

    083de2d2dc0be6af200ff93e0e1bf107

  • SHA1

    43b9c85e1c6e329b4d7427f5f0b13709d7e1c501

  • SHA256

    885a49bf9c395744f269a4c63eb71409e421b65d3aa118375c08fe07bfb90a93

  • SHA512

    21dd6e9e0e5e0c95108c701355248f03cd5fbd01a48e6984f4bb88f1c63c713e01678288f606872bb6299ec5a1fcdeaf0d70ea273d143602d05a6c4d8ae77083

  • SSDEEP

    6144://k/Go3R2v6kElrfFgmosPBMOodZpfxs3PfsIW6HrWc2GVPloHXLt4h:/Muo3R2v6JrFgtUMOgxs346LWCV9o7s

Score
10/10
discoverypersistencespywarestealerupx

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Brysiek1

Signatures

  • Detected Nirsoft tools 5 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\083de2d2dc0be6af200ff93e0e1bf107_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\083de2d2dc0be6af200ff93e0e1bf107_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\tempalbert\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\tempalbert\Server.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Local\Temp\dialup.exe
        C:\Users\Admin\AppData\Local\Temp\dialup.exe /stext C:\Users\Admin\AppData\Local\Temp\data.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2740
      • C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
        C:\Users\Admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\Admin\AppData\Local\Temp\firefox.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2836
      • C:\Users\Admin\AppData\Local\Temp\mspass.exe
        C:\Users\Admin\AppData\Local\Temp\mspass.exe /stext C:\Users\Admin\AppData\Local\Temp\mess.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Users\Admin\AppData\Local\Temp\iepv.exe
        C:\Users\Admin\AppData\Local\Temp\iepv.exe /stext C:\Users\Admin\AppData\Local\Temp\iepv.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Users\Admin\AppData\Local\Temp\ChromePass.exe
        C:\Users\Admin\AppData\Local\Temp\ChromePass.exe /stext C:\Users\Admin\AppData\Local\Temp\ChromePass.txt
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1628
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ChromePass.exe
    Filesize

    125KB

    MD5

    9b3b1c0db965166319469b2afa6c4f0c

    SHA1

    9f1e65a3056dff872949329c4e5e70c007cc5621

    SHA256

    dbfa10a7deeb6d1ac8fd95ffeb23b87adc58e6388e522812fabe7f710e3cdd89

    SHA512

    c11512599b83fa1875a67915a7e7454512ed8300a0a47c16692ebc1f526755c39c795fe9721dd97d417bfcb29f9e4c1f3283cf4c426af6571b3996005f7e4f5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data.txt
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dialup.exe
    Filesize

    37KB

    MD5

    9c8872c879d0a9d82988920488370864

    SHA1

    87ff4231547462e6474c832e28831dd691d83fd4

    SHA256

    8f576d5191721f8fdb47bb22950f43fc8f2c9cc880fe067090ed96e6fcb07a97

    SHA512

    3c413427c46ef92a412840479896841ffd5c6eb9215b8ecc416cdbd4f8e0f2eb643ed3b7f2e18eb5710ba7c55e1cd82af6637285ee364e069503c5ecc187cb2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iepv.exe
    Filesize

    42KB

    MD5

    28c110b8d0ad095131c8d06043678086

    SHA1

    c684cf321e890e0e766a97609a4cde866156d6c5

    SHA256

    dbc2216d5f31f5218e940e3d802998dee90eeb69af69cbeb063c69c6a5a3f1e1

    SHA512

    065e043b76b0e1163e73f4a1c257bae793ae9b46bff1951956c2174ef91deb2528730da77aab76b9e7246d705c3b8c1d23f05dc3b161cacabf3e52d0f563c922

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mspass.exe
    Filesize

    63KB

    MD5

    fbb93d4c91453b06414d6973152d904e

    SHA1

    4624232c5450e7e9e7ba1f2113a07f8800dc5b5f

    SHA256

    8898b138a3f238fa985992a9d0e48f6b5865dd2cc35e08b83fa326260c510ffe

    SHA512

    4ed926d230af576a945bdd4d9b2d4001e8036abbcf1ef9a35669823d9420b6d95b426d80384a6fd022165c1fc2485fda0e28193b99b301927236928ddfcac6f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\passwordfox.exe
    Filesize

    37KB

    MD5

    a1d6a37917dcf4471486bc5a0e725cc6

    SHA1

    5b09f10dc215078ae44f535de12630c38f3b86e3

    SHA256

    8a06acd1158060a54d67098f07c1ff7895f799bc5834179b8aae04d28fb60e17

    SHA512

    5798a5d85052d5c2f6b781b91a400c85bc96c0127cc4e18079bff1f17bd302dc07c0f015ddf1105621a841680057322eb0172ba06063f55d795b7b079f1d26d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tempalbert\pobierz 2.jpg
    Filesize

    24KB

    MD5

    1f1e9a406d8de23074998bae78a374bc

    SHA1

    7ed6e9ac84ba71b19e85cabc0da752cae3769219

    SHA256

    140864dfbe21d00af8b6d40b7aade7c3a897ba07da1d011b7a7267a123c51c6f

    SHA512

    408100e981e0694cad07e62b0021d8a217490c766c0dd62cbfbd0b21e5e260c2f15bab794cea9a34fb7456e98fa09a73cb3e26c0acc718377c41296f7b2deb29

    Download Submit

  • \Users\Admin\AppData\Local\Temp\tempalbert\Server.exe
    Filesize

    331KB

    MD5

    594fb29c84ad39e3dcf28870199156aa

    SHA1

    ec4668ba192886096d11a5898e603adf2855edf5

    SHA256

    30206ef69678baaf29718e4bd38df7c1ffad3ec9175ef36b67ac9298815ed322

    SHA512

    05189e2f9a81f59d36a872edb2cf3e871f04650a3a8b05717f4ac86d0324bf443df0a752582a8f85933047795fc692486fa9c475977233151d09c0ed21de6655

    Download Submit

  • memory/1628-51-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1628-54-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2412-56-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-5-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-3-0x0000000000220000-0x0000000000222000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2424-2-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2740-15-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2740-19-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2768-35-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2768-33-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2836-26-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2836-59-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2912-42-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2912-44-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download