Overview

overview

7

Static

static

3

435bdfd099...18.exe

windows7-x64

7

435bdfd099...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    132s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    435bdfd099d99c104e632cf1fd3ed653_JaffaCakes118.exe

  • Size

    408KB

  • MD5

    435bdfd099d99c104e632cf1fd3ed653

  • SHA1

    29fe97b17630e002e3af02377b10f123b425cc6f

  • SHA256

    d11d33fc7d6d5ef947ce115451015d4fe0696e78086af36a42f6e3da1f792820

  • SHA512

    6e7066ce1328e01fa2de50d1b89d4caa944656014defa163502265441dd29bcc9e5b32dd3e24dc438d577899df675be4c257377ddcf8c16a925beef4f962b820

  • SSDEEP

    12288:UseDesaU5qQds+h4nYSIKyH9LOIgWZyrQjGflfVYoHX/oS:xeVd5ba+anYv9LOPhOQlWoHXg

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 21 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 12 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\435bdfd099d99c104e632cf1fd3ed653_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\435bdfd099d99c104e632cf1fd3ed653_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\temp\125.bat
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im ksafetray.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
      • \??\c:\windows\temp\rar.exe
        "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\usbhard.rar c:\windows\temp\
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2696
      • \??\c:\windows\temp\systen.exe
        c:\windows\temp\systen.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\windows\temp\ok.bat
          4⤵
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1616
          • \??\c:\windows\temp\rar.exe
            "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\ok.rar c:\windows\web\
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:1336
          • \??\c:\windows\web\lsiss.exe
            c:\windows\web\lsiss.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1036
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\windows\temp\00.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1976
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R d:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1292
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R d:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2360
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R e:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1524
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R e:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1928
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R f:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2344
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R f:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2056
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R g:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:836
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R g:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2184
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R h:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1932
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R h:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2172
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\11a.bat
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2956
      • C:\Windows\SysWOW64\attrib.exe
        attrib -S -H c:\ma.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:960
  • C:\Windows\system32\wbem\scrcons.exe
    C:\Windows\system32\wbem\scrcons.exe -Embedding
    1⤵
    • Modifies data under HKEY_USERS
    PID:276
    • C:\Windows\Temp\systen.exe
      "C:\Windows\Temp\systen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\temp\ok.bat
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3064
        • \??\c:\windows\temp\rar.exe
          "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\ok.rar c:\windows\web\
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:2304
        • \??\c:\windows\web\lsiss.exe
          c:\windows\web\lsiss.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3012
    • C:\Windows\Temp\systen.exe
      "C:\Windows\Temp\systen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\temp\ok.bat
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1496
        • \??\c:\windows\temp\rar.exe
          "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\ok.rar c:\windows\web\
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:2676
        • \??\c:\windows\web\lsiss.exe
          c:\windows\web\lsiss.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11a.bat
    Filesize

    240B

    MD5

    af2d245f8dc47c66c9725571696f9f22

    SHA1

    cfb7d46c274393b7a7cff8977cec62918e40e029

    SHA256

    1c54c826a129e600bceb3305cec8da9c7835f6d041054c6a9eac78aefdfb3fa0

    SHA512

    840c75bf803ebb0bbc1012a5bb6d7ad594544891040cf56b98b92f6ddc6fb2b1c7c8b9ff7fdb29c8173299c6ed33939ed745aaaf20d0c92bcc810189a261ac24

    Download Submit

  • C:\Windows\Temp\00.vbs
    Filesize

    7.6MB

    MD5

    f4731efebe5b9fc0b79d677f73f3cdde

    SHA1

    e459880d3640cc29adfdbd3ae36b2487e7311372

    SHA256

    3ccf185f5cf915984116ff658dd49e57b594555cc2898d0a9672be08a1b2d94b

    SHA512

    a940835fe332d6468fc324f8b675f9151cf861278cb42bf13e0758196d0e5e267b0c4f3f7aa276721d4d39a0d85d513f2d5e461a9666369cc9a8aa287ce7bd54

    Download Submit

  • C:\Windows\Temp\125.bat
    Filesize

    1KB

    MD5

    7526ddc332792483e84261659cd39aed

    SHA1

    384fbe01332a6302bc6a3c77025e1dc71185f952

    SHA256

    f4049d98eeead98dbf1ba8b1ee8db45cc9ab9a1d240b5265f6ccc618de3a44c0

    SHA512

    c8a5dd7da77ba8711662af2efb4a9b3c94f53df6069d56a07a08065c817feee9cae44dd83b383577aa80ab421068ac9dcfa0e84b91880af67a452eb580689e13

    Download Submit

  • \??\c:\windows\temp\00.txt
    Filesize

    7.6MB

    MD5

    db40c3f730de6968349a661cd46875ff

    SHA1

    c5bbd7957201166e2c8d863a49757ddd0bebabfa

    SHA256

    c95ddc9723d5059fd9934edd8aea539cff5e6479285a631ff101773ec12c17ea

    SHA512

    59a48a00b96b94a2042b10ccdf0e8b09103d6fbd639d7d5802d4db5267b6b003dd75d16d3e9ade21d180987ec8add74a4f71c652ce099af26dea8e63020f0503

    Download Submit

  • \??\c:\windows\temp\md5.txt
    Filesize

    1KB

    MD5

    0167f26cce7b6da87b148f777f0d4363

    SHA1

    a4c0f661bf343729cd61e4ddd967239b51110168

    SHA256

    c50206715cd1954001199ecc375d15c7ff06bc2369f83e705e2a3b7b6cdd838e

    SHA512

    fa8e2723be7f19dc7c7d60a3c6bf069d4095637f58c295ce21bebb8dd36dc8b69f5112677ff10a4b839f217ffcbe380c67275b89f3646b908fc2f2a0378aeced

    Download Submit

  • \??\c:\windows\temp\ok.bat
    Filesize

    368B

    MD5

    971b72c1a1297f1a5b828e7eb011ef98

    SHA1

    8f42402ff6b452b55c243c746cb00e78131c7fba

    SHA256

    31514d44c421799d991dd0b8d001e45eadd5d880946c15f846856b35e10d5565

    SHA512

    b0851262fd6cd04aaa3c1a947d10ccba1c5c91aeba02e0e0a131c7f5195d0948c82794cab9642ac32dcce19f550122ed40dcbdd43c5e4eea53b8e9274c5b3466

    Download Submit

  • \??\c:\windows\temp\ok.rar
    Filesize

    232KB

    MD5

    b131d5353fa3402a133142a6dc0a2b80

    SHA1

    fcbe5afe1705afabb411ff83e6cab2c715cd48eb

    SHA256

    e7a4d177abd8369c0a8c0278bcd55e9f171cd18a940694bee0846edf6a9469bc

    SHA512

    cd08d34354e20a2b3cb440aec83e4424dd96c866bd6a1aa2386e184ef0efae2b1a676a2f6314a4f546cd29fe30821c5130ad441e33b2eb5fb406187ceb2e8b8c

    Download Submit

  • \??\c:\windows\temp\usbhard.rar
    Filesize

    5KB

    MD5

    62b9eb2d18689daf231c4297219ecc97

    SHA1

    02d23d2de3a2a2f0cf7e743f0b993e962e5e51c1

    SHA256

    1dc23f23fecff10a0fb4ce5d18eea801bb1f851d51ce2023b1b19c859fdcded0

    SHA512

    86337d29d9d1b9d8a4f6a71bc22062429442743d4879bbd09df9e616e4093cebb3b1494eefbcd76d216b237264cb9fd4d802cb5d32710726942f0b771e57c4ff

    Download Submit

  • \Windows\Temp\rar.exe
    Filesize

    310KB

    MD5

    0a5680183c0089a64621e211917664d8

    SHA1

    8525d73c99e28413e97a094c99950e1806786246

    SHA256

    c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

    SHA512

    b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

    Download Submit

  • memory/1036-95-0x00000000008E0000-0x00000000009CB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1036-97-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1036-90-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1336-81-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1496-149-0x0000000000710000-0x00000000007FB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/2304-110-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2672-30-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2672-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2672-31-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2672-40-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2672-0-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2676-141-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2696-26-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3012-124-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3012-128-0x00000000004F0000-0x00000000005DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3012-126-0x00000000004F0000-0x00000000005DB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3012-127-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3028-157-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3028-151-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3064-116-0x0000000001050000-0x000000000113B000-memory.dmp

    Filesize

    940KB

    Download