Analysis
-
max time kernel
13s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 15:34
Static task
static1
Behavioral task
behavioral1
Sample
42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
42e2d0497b0d671f87a626d4d1bf27cd
-
SHA1
01936d966657ac5e4f1d88a2de6ce5b6d6bb3ce7
-
SHA256
e2a7bd9a92ea7c9a7d61f087231c0c14d76859132cef9ece8e812d34b7fe4219
-
SHA512
b4f943a7f0f63d272f8c44534ab3f0fd1e131c9c759e390230359e6c489a06299a75909f826e25255f7e7e27fc320e9e191f4096c2ffa3f39c5dacd152d2d94f
-
SSDEEP
24576:Q/wQ8AinA5buEbTP46BsDc4ex/289ZZlvML9paIAlBo:Q/CNEnP46BkcT3HMLfaZro
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2828 d.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2884 DllHost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2884 DllHost.exe 2884 DllHost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30 PID 1996 wrote to memory of 2828 1996 42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\42e2d0497b0d671f87a626d4d1bf27cd_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\d.exe"C:\Users\Admin\AppData\Local\Temp\d.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2884
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5566efe7e9551ea7a7a193c7d30cea01c
SHA118b949be3ee6c33b40d3db4f41f6d651f2e57500
SHA25610bd1c8ded4e652cf4b9f1695cb7e745a7c339508f18dd00fda06f72b005f744
SHA512615111a3b2ce52292525ada53f3b6c5f6dd687a899879835e06fa85428da423d30ff4ba1dc7a7fc218bf4e367a6aa7e6b9db66540f3c02f139482350df77c306
-
Filesize
344KB
MD51cf59467542770f50b96b85e48458f18
SHA102e04f671ffdabf9e04298f4b1cbaf567d6c531c
SHA25697049831ea1bd4a9c05412d346360fdb1918df7b62138f574bd696077f5aefb7
SHA512c96cacb65b26847759cecc44acfb5d7f3fd5687b147c27b666773692d0a9786c12a7813e8c271032882ee23f3cb38ef14df03b2a952415584942631276abb6ef