Overview

overview

7

Static

static

3

2a6b79d2d8...18.exe

windows7-x64

7

2a6b79d2d8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 03:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a6b79d2d8c78d9a6d5f63d203746153_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    2a6b79d2d8c78d9a6d5f63d203746153

  • SHA1

    86ee77ac3d94e1a7808aa0aea553fa8ec81ae4e6

  • SHA256

    63362870ddc6f6f06a3f59415006ac48975cca308c4b285a63851dcbb8b295c4

  • SHA512

    cd1ee1c432016c5070ce57d4264738617d9e2a43b606991434fa5b9ebf479a1031b26a452e14cdfbf05b4d15a9574164c42ea8cf88fc6717fef7f867b99dc246

  • SSDEEP

    6144:A/6zy3sq8j1/EKd4ReLZkouP5F6wUEzErL6xPh:0hsq8j9d4sOouRAVE0L

Score
7/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a6b79d2d8c78d9a6d5f63d203746153_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2a6b79d2d8c78d9a6d5f63d203746153_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\jf_cf_telepat (1)ñòèëëåð.exe
      "C:\Users\Admin\AppData\Local\Temp\jf_cf_telepat (1)ñòèëëåð.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.crazyfrost.com/
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb48b546f8,0x7ffb48b54708,0x7ffb48b54718
          4⤵
            PID:2444
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
            4⤵
              PID:1396
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2912
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
              4⤵
                PID:2016
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                4⤵
                  PID:4644
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                  4⤵
                    PID:2896
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
                    4⤵
                      PID:2700
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
                      4⤵
                        PID:3556
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1812
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
                        4⤵
                          PID:4080
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                          4⤵
                            PID:1996
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                            4⤵
                              PID:4584
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                              4⤵
                                PID:5060
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12863901623595511697,7183544082814614779,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5480 /prefetch:2
                                4⤵
                                  PID:2848
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://crazyfrost.com/?p=622
                                3⤵
                                  PID:4428
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb48b546f8,0x7ffb48b54708,0x7ffb48b54718
                                    4⤵
                                      PID:4168
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:5020
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4364

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    ba6ef346187b40694d493da98d5da979

                                    SHA1

                                    643c15bec043f8673943885199bb06cd1652ee37

                                    SHA256

                                    d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                    SHA512

                                    2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    b8880802fc2bb880a7a869faa01315b0

                                    SHA1

                                    51d1a3fa2c272f094515675d82150bfce08ee8d3

                                    SHA256

                                    467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                    SHA512

                                    e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    1c20cb368c277f53cb9e433e79439566

                                    SHA1

                                    7233052d1c20ef595ece924a1976c35204c7fdb2

                                    SHA256

                                    7e11016dffb0386d27969516b8f9aefd02d70eacf777018721351e98221ce660

                                    SHA512

                                    06982a759405385bcc55da0143c5d5e9a3b67974ba2d63ab2d253cbb424b222f4619f847a7868540f0e439924c28048a90dc39c7e570bc87ef89af025eec3701

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    69dc3ab3fc78baba99c45adaa2d62695

                                    SHA1

                                    138c4b83c0c39ca613567826d0e8cc95e50124fb

                                    SHA256

                                    c7ac95e989c34cc06c35dd337e362bf0cf9d7a117fda6bff6fa07bb7b9f23663

                                    SHA512

                                    0d532efe3486c8f5c39609ca9acdafb59ae8fe8728cf82b839a580f1908e5b427d8793acd68c571605deada42cafd6a7739b516725562848374f1e7fb792ece3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    c3ef91640247b65be2b5c49b4064d7f8

                                    SHA1

                                    fa4de5c32660ce0e885f624e53ff9fe1930a8fc9

                                    SHA256

                                    d61baa13acb13bfcdde4789cfb7e792a4d4e49c0d738e22aaccd06a54f4f0ad4

                                    SHA512

                                    8ac60ff8bd65456b5eccdb5b7af9edb243a7874e675975fea44f3f94309d5fb5540ff6803ac06a6359d47d8a10c9ca020212a46756386fb2ef798622e7d4ec2a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\jf_cf_telepat (1)ñòèëëåð.exe
                                    Filesize

                                    211KB

                                    MD5

                                    a8fb94afc3a93ef7d911c4b7713c31c5

                                    SHA1

                                    cbd8570408ad96a462ea8697a7b2c28e4d206082

                                    SHA256

                                    214fa9a7ab481c12edc2ed18a196a6ef0ca1ca11d17186afc3a7ea69cf7a4298

                                    SHA512

                                    10fc7e4f20c984301090b35547b397c9a04c9ab664e894ff1ba56d64597433cae25f82b5215d2c4888c0bbd7ef8b0bb510f42e881b7fc45cb49c3c8433a2da32

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\ufr_reports\NO_PWDS_report_09-10-2024_12-56-55-75647ABC-LGMI.bin
                                    Filesize

                                    1KB

                                    MD5

                                    90a8ab352e005c6ea73045181bc97952

                                    SHA1

                                    ca7d36026b7eb49ff917bdabe4d0ab42ab62c25c

                                    SHA256

                                    05968190932c4734fabf67bbe35c1c247b6aed4ed13b71473805139e8a6e4a5d

                                    SHA512

                                    568131e4c8ff84b06c353c7fe7742d7d041ffa0eb753ce4d7d0b1ad08494b98f67027301969053129dee97fe72da845b776d1977ced4cdd71c405216280553e6

                                    Download Submit

                                  • memory/840-25-0x0000000000400000-0x00000000004A9000-memory.dmp

                                    Filesize

                                    676KB

                                    Download

                                  • memory/840-0-0x0000000000400000-0x00000000004A9000-memory.dmp

                                    Filesize

                                    676KB

                                    Download

                                  • memory/840-5-0x0000000000400000-0x00000000004A9000-memory.dmp

                                    Filesize

                                    676KB

                                    Download

                                  • memory/2972-26-0x00000000729C2000-0x00000000729C3000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2972-28-0x00000000729C0000-0x0000000072F71000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download

                                  • memory/2972-73-0x00000000729C2000-0x00000000729C3000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2972-74-0x00000000729C0000-0x0000000072F71000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download

                                  • memory/2972-75-0x00000000729C0000-0x0000000072F71000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download

                                  • memory/2972-27-0x00000000729C0000-0x0000000072F71000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download