Overview

overview

8

Static

static

3

180040ed64...18.exe

windows7-x64

8

180040ed64...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    180040ed6478620d18995382d32b69e0_JaffaCakes118.exe

  • Size

    47KB

  • MD5

    180040ed6478620d18995382d32b69e0

  • SHA1

    2e07d994103939d674bd24392ff18fb2358d162b

  • SHA256

    09c010a1200b975ebf39bbca18b07a84857b63f43b146555df253147ec03fa71

  • SHA512

    53b55e9ef282e42e3dd4dc3732723f8b84c09cf8fc75af4d7e3a2cdf28c5954c036c59c70f53730bbcf94ea1b89029cd56874a609a7453b0456f495ff78a1b36

  • SSDEEP

    768:P0Sr1ElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/aMDYMUrOOKvL3eIb1:P0KaYzMXqtGNttyUn01Q78a4R6LTTHqm

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\180040ed6478620d18995382d32b69e0_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\180040ed6478620d18995382d32b69e0_JaffaCakes118.exe"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2768
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF622.bat
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Users\Admin\AppData\Local\Temp\180040ed6478620d18995382d32b69e0_JaffaCakes118.exe
            "C:\Users\Admin\AppData\Local\Temp\180040ed6478620d18995382d32b69e0_JaffaCakes118.exe"
            4⤵
            • Executes dropped EXE
            PID:2580
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Drops startup file
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1236
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2564
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2236
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
      Filesize

      258KB

      MD5

      435fb5c0857ebe2a4748cfd4882e0d49

      SHA1

      028112530aa3935b97d0ec7c553a2209fde35a23

      SHA256

      837f66fd0066b9df6599b467f5fffef80d70e05a4decff973ffd205eb1714713

      SHA512

      ff23dc5972bbe1a814e3fba88467749126af448ed531c0d1a2a5a7ac3f6878fcf734220f63c20b1ba0eeae2ac6acd5f072462d3bf5eee17bc9e40ab4d7227acf

      Download Submit

    • C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
      Filesize

      478KB

      MD5

      088de1a4ba8398d8dca882a5e1a39b3c

      SHA1

      e55b08067c77d502f9a384f0cc241d339285accd

      SHA256

      1eb73c2bb44d2c5ba9364585bebb7c3250fbe9f9f5cc0baf24b805daeda7f1eb

      SHA512

      4569e66c0b11ca40e1f44a6ca6b0291859c1c3ea2fc9b8159bfb1ef98657e2f031c6b01d84eb02fdc5f3152eb8868ef187321e9ed64776760a19784408fa1c1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$aF622.bat
      Filesize

      614B

      MD5

      24e3eba475da7aeca8d3dc821045c5e3

      SHA1

      d505222f4d8b0499df9d55aeda782d21297112c8

      SHA256

      fe06cecb225ad7bae7213d6955434e9eccfb0ff4cefc3b44d283160e2fe933a1

      SHA512

      6189bf64a7f6f77d3e9fd60c2a40b7016426ccb8ede016ce1d3990ffcff701899362ae461a68271ab907594232fcfe82c8975bdae71890679ec78aaead04aa43

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\180040ed6478620d18995382d32b69e0_JaffaCakes118.exe.exe
      Filesize

      14KB

      MD5

      b7a2fbbeb343cc841bb2a0e846455769

      SHA1

      591e1dc5e6f73212072db6873ce764a76056e2a7

      SHA256

      cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

      SHA512

      69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      33KB

      MD5

      e958c2ab465fff6989534a6828d7bab8

      SHA1

      826c07c6187012aa9987e37ffcacb1ac7796d02c

      SHA256

      29c5138e3ce3e9333338bc9b69133907f848de4404fd33ea10c3aafd0c03ae6e

      SHA512

      0056ffc8363d94ff48ad57fa5b1cd7799250a982890d9881acf7006f281bfce0e9fd29a0f5dd4a622a094acb4f9f207bb09bd7fcdd70fe4e3825caeb03d795f3

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini
      Filesize

      9B

      MD5

      b8eb46e1bdf11b43e775bc46642c7950

      SHA1

      1c08b422249f0a0fa1d7d2c3946f6aaa8b669da5

      SHA256

      1760d532341817f2887d51e6a9b5fcc53a69eb75e3591356c5b25c40d6b04f60

      SHA512

      d947832ba4e2593b7d04760d9e285d10021b0dcf3040fa0aeb82cde089afaf6384865d482ac9acd6ae5473d57e79b8d242254b6372f7d759cd00e95fe339c37c

      Download Submit

    • memory/1188-30-0x0000000002E70000-0x0000000002E71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2652-34-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-18-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-2964-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2652-4154-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2776-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2776-17-0x00000000002C0000-0x00000000002FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2776-21-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download