Analysis

  • max time kernel
    94s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 09:34

General

  • Target

    2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    2ec55ecdc4a32ad646c2ad1eb09c9bca

  • SHA1

    27d883703e3035f72ea808502cec36f5ee22c381

  • SHA256

    0622156672128934ab17a1c63221a5b2011e22318f25609d0cc5f442e1743dc1

  • SHA512

    3d4a62cd8808cf201d6dd3aee25c18487588b8b2becc90468c96cf124246c4b07ba21a854e2f9c74d4e8988e3127d1390eb4c186c3f911248bded48559475bc7

  • SSDEEP

    24576:OPHnNEK7vaXDgPdVLsMPo1n07+atcoi5i26SNGrqfcEy076CqPBfO7XZQDVeXs:qNUgPdVLFwB0Pt5ov6+fCK6CMteqP

Malware Config

Signatures

  • Detected Nirsoft tools 6 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 16 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\dialupass.exe
      C:\Windows\dialupass.exe /stext C:\Windows\dialup.txt
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2244
    • C:\Windows\ie.exe
      C:\Windows\ie.exe /stext C:\Windows\ie.txt
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
    • C:\Windows\mailpv.exe
      C:\Windows\mailpv.exe /stext C:\Windows\mailpv.txt
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook accounts
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4540
    • C:\Windows\mspass.exe
      C:\Windows\mspass.exe /stext C:\Windows\mspass.txt
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:60
    • C:\Windows\netpass.exe
      C:\Windows\netpass.exe /stext C:\Windows\netpass.txt
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\pspv.exe
      C:\Windows\pspv.exe /stext C:\Windows\pspv.txt
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3472
    • C:\Windows\steam.exe
      C:\Windows\steam.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\steam.exe
        C:\Windows\steam.exe
        3⤵
        • Executes dropped EXE
        PID:2220
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    PID:3716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MSINET.ocx

    Filesize

    112KB

    MD5

    7bec181a21753498b6bd001c42a42722

    SHA1

    3249f233657dc66632c0539c47895bfcee5770cc

    SHA256

    73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

    SHA512

    d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

  • C:\Windows\dialupass.exe

    Filesize

    75KB

    MD5

    d4292602e6d519e75ca60db02cbe0a43

    SHA1

    8cf54e9e5e3c7b904c8c796a9e2de38b988e747a

    SHA256

    fc1bc82ad3fb64775ce9abd481f58efd58c7b0a8e017efe6b52067c578919a51

    SHA512

    c4801bb034a8a8794546c73cbfebce220a2486675abd3e825f36665deaf28e4213aa1932778e27492949e1c68e4b61f6f9d4efcaaa58e7d62c3c728f277e7922

  • C:\Windows\ie.exe

    Filesize

    35KB

    MD5

    65d23deb0b50875d9105cc3e595c7022

    SHA1

    b120f97a351346ed911bfed78a45a6c6e436a74e

    SHA256

    8b326947cccf08a939f0569f58d3711ec168e7321a23f74275508cfffd4acd3d

    SHA512

    18f3a15eb2c00927958f5d8bd709eea168cff92909d0aca0795864016dcd5640d4f85ad9ee55adad4db710feff7479c0755f4001978c62659f6567ebc54c8872

  • C:\Windows\mailpv.exe

    Filesize

    46KB

    MD5

    6f2c09baafc0d31f1ce0994f8f2d5048

    SHA1

    84573202cf87bbc995bb43be4b5cb41434aab059

    SHA256

    3098abdb835e9b266dad36173c20572edc44cd21501607622eb548787b3d54f5

    SHA512

    74bc6ab413d493d5210f7e7980bf2a020c3fed2fd2bafdb6563d041840550410db68bdf267576cacc5bc677f490f8d9189148ea87301777b56a9dd4ef1d749ae

  • C:\Windows\mspass.exe

    Filesize

    58KB

    MD5

    7cfb71efaa32f1fb654517aa1f4812f2

    SHA1

    b603236f708f15ac037ab2ddaf794c643482a873

    SHA256

    c2af90d91be1fee339be6e1fd60ce293e72cf6231b25dc29b67648fc3d046322

    SHA512

    5a6c1be82cc5f1f4de519bbfb7dc24adaa60493a8e8310be74803c3f0d98451345e6fbe8fdaa3da480c687d53dcf2b01d54ce96a2c519f3539e4be9465cdd636

  • C:\Windows\netpass.exe

    Filesize

    37KB

    MD5

    22f0f0aa39ff8dbcd3973c58ce7cc2c6

    SHA1

    f0ad2f34164702711fd73bdb6c2d870e0c8ab9f8

    SHA256

    aeecd4e8fc92ae0aa8d915d775aa872a7c4487420aabed7b6e27a762572eae92

    SHA512

    9387da7e7aa9ecb41bc096edd70fbaca8b398de318f98972dee2765d311502b687f2c364ff0ae20a2e60d568bdaf7bacb34e73b6dec0a9edf97b2a6366c478b0

  • C:\Windows\netpass.txt

    Filesize

    316B

    MD5

    f57557de47e278bd0f0686a2259077d5

    SHA1

    a1f822c59aaf180eb955a3ddba69e9a2e0dd7df1

    SHA256

    ebe7e845bd297f04ef1d1bebd5ad9f5cb06c381345188640673f9bbf73043b83

    SHA512

    026266c79f5bb9aeca49d050679a0b1e362aba8e754570005fe35f51f4cfbadf909bd920f1a3771444be43a76ce639ebde5aa849b6093e667d68b88f9e8db564

  • C:\Windows\pspv.exe

    Filesize

    51KB

    MD5

    35861f4ea9a8ecb6c357bdb91b7df804

    SHA1

    836cb49c8d08d5e305ab8976f653b97f1edba245

    SHA256

    64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c

    SHA512

    0fdfe62c86c8601bb98991149eea51ddf91b812ad2c2d45e53aaf1f36a09d00aaf02fc3d183179cf5367fda09d6f62d36c0187da2dfa5e08df4c07cf634690be

  • C:\Windows\steam.exe

    Filesize

    1.1MB

    MD5

    6ebdb72e7d7cc9a2f2931b2fb9b6e0ac

    SHA1

    333940eaa283d43f4de53fe339ecc02817e5778f

    SHA256

    39652b161be02bf9271178edf74db8fa0e42d677e95cf0cb6ce1d148a338fe9d

    SHA512

    79c4aa94e8971e3c0d545c87804cc8b444d9323ab5d7da53769d327c6d0b70833630844bb8a48d233a35a219c00f9817632f8d2152637b1ecf1924325fab54c9

  • C:\err_log.txt

    Filesize

    52B

    MD5

    6b3037dce73d1bd5b0c40dbc5f652249

    SHA1

    208a5e00829f9edcc6795f55b3bc1b2eb8941ab6

    SHA256

    8d039fe1dfda015aeb0c328dd04daddcc5c2f1b057cb16ad40d1e37a107da311

    SHA512

    eac0b7c94fae647e7e201d5ea99dba9805a51a477624ec704917eeea95ebc7d39bd36953bf08b9185393683cd5c3f1267b7cead0b3b3fbfc48ec88fbb3b4256e

  • memory/60-33-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/60-35-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2220-59-0x0000000000400000-0x000000000078F000-memory.dmp

    Filesize

    3.6MB

  • memory/2220-54-0x0000000000400000-0x000000000078F000-memory.dmp

    Filesize

    3.6MB

  • memory/2220-55-0x0000000000400000-0x000000000078F000-memory.dmp

    Filesize

    3.6MB

  • memory/2220-53-0x0000000000400000-0x000000000078F000-memory.dmp

    Filesize

    3.6MB

  • memory/2220-62-0x0000000000400000-0x000000000078F000-memory.dmp

    Filesize

    3.6MB

  • memory/2864-38-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2864-43-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/4540-29-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/4540-25-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/4564-22-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/4564-19-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB