Analysis Overview
SHA256
fd343ab92ff941035535dcf06fc42f9ecdc21f482ad9f3b0c2b5e1ece6baeccd
Threat Level: Known bad
The file 3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer payload
ISR Stealer
Detected Nirsoft tools
NirSoft MailPassView
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Executes dropped EXE
Accesses Microsoft Outlook accounts
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 10:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 10:43
Reported
2024-10-13 10:46
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdtr\\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
| PID 2284 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
| PID 2284 set thread context of 3004 | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\EP7m80h1YT.ini"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\VaEbfOBp8q.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.fusion-center.ro | udp |
Files
memory/2116-0-0x00000000744E1000-0x00000000744E2000-memory.dmp
memory/2116-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp
memory/2116-2-0x00000000744E0000-0x0000000074A8B000-memory.dmp
\Users\Admin\AppData\Local\Temp\vbc.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/2284-9-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2284-10-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2284-14-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2284-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2284-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2816-27-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2816-28-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2816-26-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2816-23-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2116-22-0x00000000744E0000-0x0000000074A8B000-memory.dmp
memory/2816-32-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EP7m80h1YT.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/2284-41-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3004-40-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3004-39-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3004-38-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3004-35-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3004-43-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2284-46-0x0000000000400000-0x0000000000442000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 10:43
Reported
2024-10-13 10:46
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdtr\\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe" | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1600 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
| PID 4848 set thread context of 4300 | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
| PID 4848 set thread context of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | C:\Users\Admin\AppData\Local\Temp\vbc.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f6607f74883eb8cb2bb5e4284dd49d9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\Iqu1VVKmOY.ini"
C:\Users\Admin\AppData\Local\Temp\vbc.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\FzCDPXgYFc.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fusion-center.ro | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
Files
memory/1600-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp
memory/1600-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/1600-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbc.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/4848-7-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4848-12-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4300-25-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1600-24-0x0000000074EF0000-0x00000000754A1000-memory.dmp
memory/4300-21-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4300-20-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4300-19-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4300-15-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Iqu1VVKmOY.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/4084-27-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4084-30-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4848-32-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4084-33-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4084-31-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4084-35-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4848-37-0x0000000000400000-0x0000000000442000-memory.dmp