Overview

overview

10

Static

static

10

1252c8d9d8...18.exe

windows7-x64

10

1252c8d9d8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1252c8d9d8101cba82ac58077b236ed9_JaffaCakes118.exe

  • Size

    743KB

  • MD5

    1252c8d9d8101cba82ac58077b236ed9

  • SHA1

    93088b414ed2c0f76085eaedf177340db2179e16

  • SHA256

    b4fe448064bd73c7c3d3d6e594fda0c29d59bbfc09d629e06d76ae4d101eeaf0

  • SHA512

    a1a6be67a83c286100631a3fbe12822adfb1e9f09c58da64d94a2c9b5046082f7e0bfafb25bc74aa60a4f0a1f7421e1e14fcf776a7d36cb97eda5ad2b19ad2cf

  • SSDEEP

    12288:SfUfEpv+lDZwJ+3rU/orUZoPEMscDQRYHKwcpJK1diHa2hM7GUYQ9lw8sc:bQmDZ33rUArUOPPQ6gudiOYQnX/

Score
10/10
credential_accessspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    Smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    slapperz

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1252c8d9d8101cba82ac58077b236ed9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1252c8d9d8101cba82ac58077b236ed9_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\asdf.exe
      "C:\Users\Admin\AppData\Local\Temp\asdf.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Users\Admin\AppData\Local\Temp\Microsoftnet.exe
        C:\Users\Admin\AppData\Local\Temp\Microsoftnet.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Microsoftnet.exe
    Filesize

    18KB

    MD5

    ddaa9ac21ce4316190e2a8780f9aa4d2

    SHA1

    0721e72c05adf6eae41d1af7fb4a47463a7a2202

    SHA256

    5daea85cf593f2bae2877b407bb1f774f030a70fd4f28167e1accea350176960

    SHA512

    17b74eda39863bf4738275b6b2df7429f6bbf0cbc43445f19e3dfd2cfa8e78907e33d39fdf5dee0652cf9676e0bb05889a05ae9c5dffa787012da6ba25594d1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\asdf.exe
    Filesize

    182KB

    MD5

    418b25cd602de50def4a19a924331a3b

    SHA1

    52db66a78be7f9763ea2faacf75c83efcbba41d7

    SHA256

    5dc72ffa7cd14e3b30c1d485c9cd4e697eb2ed18b38842a94659ae44b7db5dfe

    SHA512

    2416ad6fd904cf3b8fbe70f7379cc6aa33707b880ed01e22598a83d1789b6f3efd54f89790a6ced3211848785d21c5ba5dc096bbd8a310692019b069a1823e18

    Download Submit

  • memory/2540-7-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2540-1-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2540-0-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-2-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2540-3-0x00000000005A0000-0x00000000005A6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2540-28-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2540-15-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2540-26-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-25-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2732-13-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2732-18-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2732-17-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2732-16-0x0000000000580000-0x000000000058C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2732-27-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2732-14-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

    Filesize

    9.6MB

    Download