866dcef893fc6286b9ddf923d71ed3a469cbed25e788d0e11a015019a19601c4

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Size

945KB
MD5

134f2436ffdafc5060550130551ee6e3
SHA1

06470ee7c7ed198ff1303afddcb62fd87388a387
SHA256

866dcef893fc6286b9ddf923d71ed3a469cbed25e788d0e11a015019a19601c4
SHA512

1b90a95c95d728c0fb864a724a1375a3d1711cc51ce40fd47c18212cfd215f1721d63e693bfb69b323db80512fd2b88d4e409c7d016942e99ee67f7cf201ccbc
SSDEEP

24576:tzYXUlBNkEp0QHSJ0vN9QOw1tecWWf4y4:ykHNkESQHSJ6zzwqFWfx4

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2452	h1deippla.exe
2424	Setup.exe
1176	hideippla.exe
2680	is-2FUKR.tmp

Loads dropped DLL 15 IoCs

pid	Process
2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
2452	h1deippla.exe
2452	h1deippla.exe
2452	h1deippla.exe
2452	h1deippla.exe
2424	Setup.exe
2424	Setup.exe
2424	Setup.exe
2452	h1deippla.exe
1176	hideippla.exe
1176	hideippla.exe
1176	hideippla.exe
1176	hideippla.exe
2680	is-2FUKR.tmp
2680	is-2FUKR.tmp

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hideippla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-2FUKR.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h1deippla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2424	Setup.exe
2424	Setup.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Token: SeBackupPrivilege	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Token: SeDebugPrivilege	2424	Setup.exe
Token: SeRestorePrivilege	2452	h1deippla.exe
Token: SeBackupPrivilege	2452	h1deippla.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2452	2324	134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe	31
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 2424	2452	h1deippla.exe	32
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 2452 wrote to memory of 1176	2452	h1deippla.exe	33
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34
PID 1176 wrote to memory of 2680	1176	hideippla.exe	34

C:\Users\Admin\AppData\Local\Temp\134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Temp\h1deippla.exe
  "C:\Windows\Temp\h1deippla.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\Temp\Setup.exe
    "C:\Windows\Temp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\Temp\hideippla.exe
    "C:\Windows\Temp\hideippla.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\is-AQ6PU.tmp\is-2FUKR.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AQ6PU.tmp\is-2FUKR.tmp" /SL4 $7014E "C:\Windows\Temp\hideippla.exe" 533110 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\Setup.exe

Filesize
31KB

MD5
3962b24c82cd7fd5d5ad08111bd7bf44

SHA1
dd11858aca12b6ca6fadfe3c17a034a8a7f787a1

SHA256
4087f1e8ba7f28e3d4ed533a6658f3a9869f4b8a12a0767ce46e078ecb89d0b5

SHA512
63e70f979531e3256e6919b9a07807904f4688de8cdb8c302e832c5bdccf39fe5e4cdb7bc66af2afce06cb1a192ee56812aaf10b8c5dbd0dc20a0d0a4d36b1a7

Download Submit
\Users\Admin\AppData\Local\Temp\is-8AR1B.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-AQ6PU.tmp\is-2FUKR.tmp

Filesize
647KB

MD5
b683339ce008e97a0243a0f83bca1e09

SHA1
a8a4c078225ec9d94912762bda3a745d83dbe8f4

SHA256
5c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925

SHA512
c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780

Download Submit
\Windows\Temp\h1deippla.exe

Filesize
893KB

MD5
d677c2cb791d2c4f5d19a2a66f1b2779

SHA1
abea4f8d80abca53c06eea001ee1f49f033fb3cf

SHA256
fac3212ae04c7235d59d78ab25fe86cd18576da1c63deef755de11aed60ebab5

SHA512
062647293867a627ba1a3a0eaf042d743615f00bf33a5553c2b383afbeceb6a9f141ae54bb321ec0c3761982965b89a11fb7620a0bd6d9b5676ecb76cbe3ae4e

Download Submit
\Windows\Temp\hideippla.exe

Filesize
794KB

MD5
4f75f1c2be26ef5529b177ef126e9285

SHA1
6d8de01edb7d0a80038ac37ccbf48fd436c50584

SHA256
2683919d50bf213910af6fa7b5ade24f7b66a166220822e37e42256155389f34

SHA512
6e3691b48b001adf367563bb0725b3d650300abe0fbf2bfd1434203a4e7100d1d0591c4647d3e9aec20d33cec6b097a8c81bdbdefc0a4af355c56cc34bbb2eb6

Download Submit
memory/1176-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1176-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2324-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2424-24-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2424-26-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/2424-27-0x0000000013183000-0x0000000013184000-memory.dmp

Filesize
4KB

Download
memory/2424-21-0x0000000000820000-0x0000000000864000-memory.dmp

Filesize
272KB

Download
memory/2424-22-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2424-23-0x0000000013183000-0x0000000013184000-memory.dmp

Filesize
4KB

Download
memory/2452-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2452-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2452-16-0x0000000013140000-0x0000000013184000-memory.dmp

Filesize
272KB

Download
memory/2680-61-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-63-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-65-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-67-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-69-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-71-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-73-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-75-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-77-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-79-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2680-81-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download