Overview

overview

10

Static

static

3

b977a9f589...18.exe

windows7-x64

10

b977a9f589...18.exe

windows10-2004-x64

10

Resubmissions

13/10/2024, 20:00 UTC

241013-yrfemazeqm 10

08/10/2024, 01:41 UTC

241008-b4e83awgqa 10

22/08/2024, 23:22 UTC

240822-3czl6svhqr 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 01:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe

  • Size

    888KB

  • MD5

    b977a9f58910d5b0c1eb2501089b3d84

  • SHA1

    1bc0e60b3397560414c1f0dbbe9b716b83b1685d

  • SHA256

    619ae9f6605a4c01851999c358172385764b50bb32abbe80f2d3ed341807c137

  • SHA512

    f22033bc480c5bc5b52986b91b66fbf2443dfec1b2399a2b7e1f097991dfbffec07e52c8e7f4bb998c8cda34526b96f300387db36cea2eecfb33f9c832e6e1cf

  • SSDEEP

    24576:Uww2Y8ILo2jFk4Y+7801MqdGT6GTL8nLneWVE58QbgK0PWtt2:Uw9UI+A0uV6GTyLnetgK3tt

Score
10/10
massloggercollectiondiscoveryspywarestealer

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YrDIJR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F3F.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3692
    • C:\Users\Admin\AppData\Local\Temp\b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4708

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.ipify.org
    b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    http://api.ipify.org/
    b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe
    Remote address:
    172.67.74.152:80
    Request
    GET / HTTP/1.1
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 08 Oct 2024 02:27:45 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8cf2b1923b6c6541-LHR
  • flag-us
    DNS
    152.74.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.74.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.74.152:80
    http://api.ipify.org/
    http
    b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe
    247 B
     361 B
     4
    3

    HTTP Request

    GET http://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    api.ipify.org
    dns
    b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.13.205
    104.26.12.205

  • 8.8.8.8:53
    152.74.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    152.74.67.172.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b977a9f58910d5b0c1eb2501089b3d84_JaffaCakes118.exe.log
    Filesize

    1KB

    MD5

    17573558c4e714f606f997e5157afaac

    SHA1

    13e16e9415ceef429aaf124139671ebeca09ed23

    SHA256

    c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

    SHA512

    f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6F3F.tmp
    Filesize

    1KB

    MD5

    353c985401695cf809f5592181146555

    SHA1

    6998bb8de0f564211b61d49e3060faa60d5ee8f5

    SHA256

    6d7f44651c6a4326420103148c15ff77ac84c7569b0ed5ca3f8cd3bf4d1b4b1c

    SHA512

    31e3ed430354b08ae21ff55507afc1ad4793d54abe84dec9773065fbe62f7238963f032b3ec7de2300041b9ca12f3f253d5170fdb00793dbfcc428c22a9dd266

    Download Submit

  • memory/3008-7-0x0000000004F80000-0x0000000004FD6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3008-9-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-4-0x0000000004D90000-0x0000000004E22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3008-5-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3008-6-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3008-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-8-0x0000000004F40000-0x0000000004F58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3008-22-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3008-10-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3008-11-0x0000000005C80000-0x0000000005D3C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/3008-12-0x00000000059F0000-0x00000000059F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3008-1-0x0000000000240000-0x0000000000324000-memory.dmp

    Filesize

    912KB

    Download

  • memory/3008-3-0x0000000005340000-0x00000000058E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3008-2-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3008-13-0x0000000005D40000-0x0000000005DDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4708-32-0x0000000007DA0000-0x0000000007DF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4708-23-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4708-25-0x0000000005130000-0x0000000005174000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4708-24-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4708-26-0x00000000052C0000-0x0000000005326000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4708-27-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4708-28-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4708-29-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4708-30-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4708-19-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/4708-33-0x0000000006DF0000-0x0000000006E04000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4708-44-0x0000000074AD0000-0x0000000075280000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.