9487e25d73ed33232d8947d41fb3fd0336934852564bee67159a67a4d93aa489

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe
Size

188KB
MD5

0eb62dc4fcb05cb49e426330725ddb4e
SHA1

e5f0b2b867cefd2f4e8cbda250bde12701b75bbf
SHA256

9487e25d73ed33232d8947d41fb3fd0336934852564bee67159a67a4d93aa489
SHA512

7b6a4b56d4d434d2effc9d658166dfc9e8adced7c54052ca8b204112b99016cc66766fe804f11430e00e8c6c09091447eeaf5eea6cb7bde878b1e190f2ace383
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUU64Qd/aQeRgpo2FbA:h1OgDPdkBAFZWjadD4s5/QczRg7FbA

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	5062ba7e8e220.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	5062ba7e8e220.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5062ba7e8e220.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002345b-17.dat	nsis_installer_1
behavioral2/files/0x000700000002345b-17.dat	nsis_installer_2
behavioral2/files/0x000400000001db78-51.dat	nsis_installer_1
behavioral2/files/0x000400000001db78-51.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 3004	4272	0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe	84
PID 4272 wrote to memory of 3004	4272	0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe	84
PID 4272 wrote to memory of 3004	4272	0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0eb62dc4fcb05cb49e426330725ddb4e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\5062ba7e8e220.exe
  .\5062ba7e8e220.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDownload\uninstall.exe

Filesize
48KB

MD5
a724dac649142fef71fe4b529684e969

SHA1
e2878e84886ec53a1332ad969a825062526b5cd4

SHA256
b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc

SHA512
9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
a07587a78e6331798bb060d9c3781f57

SHA1
f0bfeb61c9fe4fdd7df6292789864dfa3f82c31b

SHA256
4ff15396b2becfbee1ca1c1c05252cd640c6002cd5a59e2ab822dfc266e73350

SHA512
73373b512e22a0ffa81cc050c87ec686842effa7fdcb2ed4f0692030f2b9c5777bcdf6775b4f6856b908ad73ab10ef1a23ea2f154dcb56760f2aa4d1b4d7cb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
127ae21aa18dd73cb33faa0410499251

SHA1
2f21e0f865f3cdbf9d724051eeb4c1790819d6e9

SHA256
f5beebc173c365d1c079fe6347538e88682a773427a4bf4ad476145b82e4d54e

SHA512
523f78ba7a1a71480996f81ef1301a73c571a7af1d3c69127c094b383c84bf6ff0964f14f486ade5397400d7b0f5623ffbe99241d6412114be1f9cb4faf2e81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
0cabe0d68868eedd91640df7b99ceb79

SHA1
9fb60ca5a37f9956b0ba8bdd297ddef820684e62

SHA256
1e32e3482693d946912a32510fbdf918973b5b4b027c6bbf95b13676b0569b55

SHA512
30faa27ef05f67b992724260a4ffc3c9b1e94e320e7ccf65e6cd008433fe8f97c2c5ea19c7e9d2b467576b4208664c9d4e7f5edbe7c4de4ebe8910c570a61e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
fa0ca10690431e996f8b0f9f87a92591

SHA1
a261729e10f4a5859c74823530d1391cd48f8640

SHA256
3a8159498b5a2c46e81556ef33d3418eeb949c41df91b2fb02d5af5140cee83c

SHA512
b166e094cda9bb967cb75e606357a25a9a8ee2d4019520ea95fa384f226f330ec7794d7d6bb7eb94211b368f1f001614bc64b611af8465ebcca5c9c011f2e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\[email protected]\install.rdf

Filesize
717B

MD5
6ba9acd2359d21c0ed6131d48ba7e46a

SHA1
809db4f73017a28e9155dc3740ca32bf533c9182

SHA256
26dd1f4833b19d4888694ba0fa8a1b1d2a6e56a5cd11a59e92ce260ed334f212

SHA512
a2bb0accfc5fdce90c15fa6c64ac69e8ec60c6b05513eea7ee065689977ec19ee95a98027d15a4b4bd521aaaa8211220ffb949344282f624baf98d1a36da75c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\5062ba7e8e220.exe

Filesize
65KB

MD5
4ccf1a317aa8539c857835e4ebe9c806

SHA1
223b73d09d7398f40aff3ccc569e66cae3886ee9

SHA256
4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

SHA512
ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\phddmkhbkmdkmfhlihflgjobaonacbog.crx

Filesize
7KB

MD5
6ba52ec18057f565047fc330dbbeefb8

SHA1
ab93796f8491129a6ad61628c5b8dd50a7b11e99

SHA256
e06b7b77d56e3a97d9bbfa872b7aae999bd02bf258a1c1b0b63cd621912274a2

SHA512
cfe6dcf9e6937beaf0455323e0ef9d23a675b2e92d342913ec654ba00bad80584b94c56c1218ee003d06ed416406088d885429c8d87e7c6c26f98c5c11cf41b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5DA1.tmp\settings.ini

Filesize
640B

MD5
436c0d3359f15c7cdb7719062a9bdb6e

SHA1
c980ca115055664c85423e9271626ed23aa30bdb

SHA256
fef517276e25102b64c0ede4b86ac23ad506a534a43923304f91280ba4c4a2c2

SHA512
8d22cb813e700c95db23fb471b7a2587153571cb599198ecf648acf5c7f3fece22965d75cba19b6d44469c093ad427616ef5a5e885d212b371d037ee5214d9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E5D.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit