Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe
-
Size
41KB
-
MD5
3daf9e6ae81363247c5f955329c41d5b
-
SHA1
7d0d61155a59d3122f191eba20eeff836424523d
-
SHA256
38e5fd8f4bb3ed7d8ff33f91d9c467670083b5f03c12293f2c5f46a04d0127e2
-
SHA512
1751a07f32581c85c5bcefa61198a41cb8d9138282403ab87606b936efe27430038a0f2039d7b3f2a41e4eb9ab9f113e9d3c0e679e0dae225cb60b3b11381556
-
SSDEEP
768:4QGiv2CKlMTFlhJDIVwqXlyOraLmMhJ3iR5Np9KtwkS7Cm94COfsziPg:3VvlKlCFWVnXlyOGD3i/L9OpS79vYsz9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2364 Stell.exe -
Loads dropped DLL 1 IoCs
pid Process 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stell.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Stell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Stell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Stell.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2744 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2364 Stell.exe 2364 Stell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2364 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 30 PID 2872 wrote to memory of 2364 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 30 PID 2872 wrote to memory of 2364 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 30 PID 2872 wrote to memory of 2364 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 30 PID 2872 wrote to memory of 2744 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 31 PID 2872 wrote to memory of 2744 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 31 PID 2872 wrote to memory of 2744 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 31 PID 2872 wrote to memory of 2744 2872 3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\Stell.exe"C:\Users\Admin\AppData\Local\Temp\Stell.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\prohy.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c4873fa9b5f1f5c2c39ecefdb76224bb
SHA141e7b9954c8b440322cdc13961900a0f75ea602d
SHA2567a40733f6eff475c0bd4a69dcef89abc376452f4b59184aed51269a5025b96e1
SHA512dcfa2abda48019e596030134f279d649d450ee6199aa7eb18071be30d28daab1849e3f4d4dcb0cf9d65cf36fb22eaef493ea2b25df7359df1d03b03fdff5cc9b
-
Filesize
18KB
MD59b184272fa8eecb5c99fc1805ac7529e
SHA1f9a21718765f6f842049513a8779dc738917f8af
SHA256796db843fcb613b8a6307307ad3456e451de984cd64c14f038eb0552a3342cc1
SHA51277fb8972d85dfd8d96793086f6405426834901853cd0d934f890b3e9473c30d2057fdfa94703e289b35ef83097081b73308676ae419fd517aacac2c36fee53c5
-
Filesize
22KB
MD5ae0f7196eb6ca11f59fdf63c6bcfd488
SHA18308a06843f003d65ad608767f0278e8b4019d41
SHA25601255c3a07b62f23832c1635d1f6e822d7b85ba34f32fbaa0e0c90c06b25fd12
SHA512c27f8ec49eb252097394164e6469e96030c87f4d41a3233f19704d85ac60253cbdbd3e2ae4afd317de76d30163f9f65503d65c0adb431c540397961d54dc3e05