Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08-10-2024 22:40
General
-
Target
26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
26894f8c16a724b3b92c47bb2ad008c1
-
SHA1
b9e10f49636e54ffbc82c3f4ca6a4e37c6a40d16
-
SHA256
1a3f8caad129ba23d361cc874d2b6a9cd2b237426d627ec50399332de6399305
-
SHA512
7143dd298e50a5d707d08c39b3e1f831ae2d002a4a7b37a0a9cda90936cc8057933f3e9c008ac2be0c39f1fb133c45ba98796e093dbfad10594fbc21ad18beb1
-
SSDEEP
24576:hTCMXuthC1jc1a05AuL7FyA/5JCgFeRmX2lSHEt0KvG8iiN/7X7VIwF0M:hTC4uOVcY6JL7M8CEimGlSHU0GGw9TJR
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 16 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\26894f8c16a724b3b92c47bb2ad008c1_JaffaCakes118.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-457978338-2990298471-2379561640-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Your Product\updates.exe"C:\Program Files (x86)\Your Product\updates.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:654882 "__IRAFN:C:\Program Files (x86)\Your Product\updates.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-457978338-2990298471-2379561640-1000"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\alg.exe"C:\Program Files (x86)\Common Files\alg.exe"5⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files (x86)\Your Product\Tube Increaser.exe"C:\Program Files (x86)\Your Product\Tube Increaser.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Tube Increaser.exe"C:\Users\Admin\AppData\Local\Temp\Tube Increaser.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Your Product\Tube Increaser.exe"C:\Program Files (x86)\Your Product\Tube Increaser.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\PROGRA~2\YOURPR~1\TUBEIN~1.EXE5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 56⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5d81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD51a7c89b423b0ea055c88df567aed676d
SHA144c023bb04870bda07576a2330ab44d5ac7ab4bc
SHA2569fb9dba9bd7b85c48fb4f7b9c0f839784bee292418d000984e2fa22e1e2b9a03
SHA512bb1c9a6d2a39448e479631d309f7499698d93e7edfaa66627b51f2781f6a3bd2c44b58b039c71ebcda64c010b0db81efa5cb41a6bb755001902895cf49926df7
-
Filesize
6KB
MD5ef8e5afcf3150c2c1238483b3bda20c9
SHA1d12fa6ebfee7e27beef32c71ea30e76968fa4837
SHA2565580118ed4fa27e61db13b5f3668ba53836fd29931ada3133bf25de02aa13773
SHA5121780fb04b110cd100b9720dd8adb84cf7cc6b0461b3ae3a01c8b8ca0ff7c93f8b736075ab1e3f0a96abb4186281b3b68762104d109fa4631304ea7ef7a45872e
-
Filesize
342B
MD5e7fed89583920da732f1b20c9f634e63
SHA19e61a5f53e8f4b31c36f7db5187b8ca314e53515
SHA256351356c49bcb13679db02524f3658b12646dce70b6d1ef415dfa0b4f58a8d1fb
SHA51265e677667bb3b5dde0fe8c8c9a6812034cad339960eb8ac857df1496a7a38f69192410bc8730fe0ca140524ec5eeebe8baa9562317db3677ccff781e9fa20999
-
Filesize
342B
MD5d8e4d30feacfee01dcef31a2e4fb153a
SHA1a1af7ec410ff11c261615fb922407a80c539e386
SHA2564ec5634e4089ba86ec6de8d7648c59228510eaf71038c7968b470a2d12d3bca8
SHA512ef47be8e26fd5459d76958cdc259f4eb4362a1936a967846d4a8ba384c04d1d22fdcd2828134c8079e522d30c60bbb10f5234b52a931b6e96e27c782766c17fb
-
Filesize
342B
MD595e781d8b8296e4e67f38ea97b8ddef8
SHA180e440d0dbf8c3356de070bf1feaf929be10b580
SHA256f1257f6b24a74680c90932b9daecb2aca0587bea9521ad55eaa5d47279ca5134
SHA5126152013a874a9b31b9644216ca6fa1ae1f683361d397051fe536c3a1511ab16117de485054cb09d7ea11efd6fb67f3b24bf5711485a3eb63b974a23260d4f587
-
Filesize
342B
MD5caafd2d33cb7faff36180068b741767b
SHA13d72c5e08afb959157abba9fc2c8e30793665e7b
SHA256a55049cd7cc8b8908d313ed8e5bd3ddae717fad365d3eb85314a6e97eb8abcd0
SHA5123c3a5aaf2e597de3080f2888c733f6d895b6b42763c3680135582f0a1b57fc9a82aa2c7cfb0d5034a4c5958e98d4d9399e3542c9a01da376b2f4dfe4cd06f15f
-
Filesize
342B
MD53a4e3fd44662dcf91cc400f675f997de
SHA1733636dd184a827b0c6499293da00397db248348
SHA25648de9ce8ca69e510260c67df85cf3ced8674d32f52384aaeb5758032f676f186
SHA51275b6ea0caa714bfdf7d4c470e1c1905df06c59668de2db0c7f157f64835b2fa1821ff2ac636252d9d603e0dd9c73d3f3025f14f8ef47c770de6f17401a420614
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD5af18f3f894be69733e04750b236e219a
SHA18e552822666e75f5b6054787e827ff51d3425a2e
SHA2564ba385aee9eae013c9cdeb58fc1023475b003d085d84c1707fd7bfe1901238fa
SHA5124ac3416323376aae7043b030bde30da02d339773c539815a1e9fe4ee2384fbe8132d83f68a054ee254424134a3994e47749b20ac0f3f69ada77e1c28120c4cbd
-
Filesize
98KB
MD5b7f9218355f149061bc5cbabf605dde9
SHA1edcfc72f7de9be8d8d258649547fca29b4105642
SHA256efec700c088e7f6e6c2213ec40c815359f8136b4e65e104030005c0c600c6a72
SHA51209e61f2d7ee089ef0f2963147f86dc86ee348a35b441b53b8257ea686b07571089cf283a9420ec320f8ab1c5083475098ee7fa3619b49978b262946745052e68
-
Filesize
108KB
MD561c3525b4acb2b1e196df9a098505b64
SHA1c0b5f04efc80af7c71827dbc840a034d31505884
SHA2569b072f5db95eef0e15553497c72b39f35777b05e20a2fe6ac4e853f946fbfae6
SHA51240697454af6d0893ab95f308422221f13f3dd39f7b398f34d7ad5f372321b3a4b5faa5472e841b23c614c5381be862d322b284359a0132d67c5f9583af205659
-
Filesize
675KB
MD5f0fda7be6d41410c0c8cc46a461ec0d7
SHA1026778461924cb8aa68121a519c09eb64192e1a4
SHA2566c6dd0385104635e6fe40a8d583806a6d6689eef99ee6c34a140f54d06b73746
SHA51295191d98a625e517b8e057e88734e7106518fec09368e3ecb247eafab63507c7d58c2cb5bba2f5f948e94d76631d5ecf90b75874aa7295bc0dada9c4e1f4ea9c
-
Filesize
69KB
MD5c016ee709ab74fe9df77a27b7222d267
SHA1d1c26fdb784bf6367b9902a1ed3a9800fc4b41de
SHA256d91a8981f9649ff8222225b70aef5ebf51d2e5d11876f1a457e20808635a6687
SHA5123a65429a3bc0682531ad91eda041673120528d8ae7aac2518697ae194dc24880e2ccc5722ae4acee18f6f92fbbee712e5d97ccad15e099e6f3a0dd8e18fd376c
-
Filesize
562KB
MD52a6851974cff57bee62a83c52ce68863
SHA1c3b22bb00c555274d6413ae48e3ed82103462ff6
SHA256d2e97cdb120c1a88340553db0de85b525b2f3fae163715c789dc1ba3f76b72a1
SHA51225e1a733873f8ab294a281ec658c117d8c93b89ab63a73f199d9b53b25738e3f906822fd5915f360c24bcc9ad1672520e8d8e0964e06624e59750b2d176c2f5a
-
Filesize
563KB
MD576da2c7c124183acf74251db2a336a79
SHA1e3af0b141c37fe8db95397970aac0f9545e8b45a
SHA25677a0ee56b68c5524c79201bc045aed9c212a90f4f28d5f08a8c15507df94aad0
SHA512b160aa92810da8dc71cfffcc5ee0eeaf3058dcd39a0b1c0f02fd03436d011d9f50b46c0bea984cf3ee732162601e3a140b408655c647ff00654fa59d8fb2a8e4
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
7.6MB
