Overview

overview

7

Static

static

3

435bdfd099...18.exe

windows7-x64

7

435bdfd099...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    139s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    435bdfd099d99c104e632cf1fd3ed653_JaffaCakes118.exe

  • Size

    408KB

  • MD5

    435bdfd099d99c104e632cf1fd3ed653

  • SHA1

    29fe97b17630e002e3af02377b10f123b425cc6f

  • SHA256

    d11d33fc7d6d5ef947ce115451015d4fe0696e78086af36a42f6e3da1f792820

  • SHA512

    6e7066ce1328e01fa2de50d1b89d4caa944656014defa163502265441dd29bcc9e5b32dd3e24dc438d577899df675be4c257377ddcf8c16a925beef4f962b820

  • SSDEEP

    12288:UseDesaU5qQds+h4nYSIKyH9LOIgWZyrQjGflfVYoHX/oS:xeVd5ba+anYv9LOPhOQlWoHXg

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 11 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\435bdfd099d99c104e632cf1fd3ed653_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\435bdfd099d99c104e632cf1fd3ed653_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\windows\temp\125.bat
      2⤵
      • Checks computer location settings
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im ksafetray.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • \??\c:\windows\temp\rar.exe
        "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\usbhard.rar c:\windows\temp\
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:3548
      • \??\c:\windows\temp\systen.exe
        c:\windows\temp\systen.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\windows\temp\ok.bat
          4⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4252
          • \??\c:\windows\temp\rar.exe
            "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\ok.rar c:\windows\web\
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:4640
          • \??\c:\windows\web\lsiss.exe
            c:\windows\web\lsiss.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4360
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 532
              6⤵
              • Program crash
              PID:1496
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\windows\temp\00.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2456
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R d:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:956
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R d:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4496
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R e:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4736
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R e:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4204
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R f:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2104
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R f:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3968
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R g:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2156
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R g:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2208
      • C:\Windows\SysWOW64\attrib.exe
        attrib -H -R h:\~1
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2728
      • C:\Windows\SysWOW64\attrib.exe
        attrib +H +R h:\setprter
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\11a.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2684
      • C:\Windows\SysWOW64\attrib.exe
        attrib -S -H c:\ma.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4360 -ip 4360
    1⤵
      PID:2792
    • C:\Windows\system32\wbem\scrcons.exe
      C:\Windows\system32\wbem\scrcons.exe -Embedding
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\Temp\systen.exe
        "C:\Windows\Temp\systen.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4344
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\windows\temp\ok.bat
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:1360
          • \??\c:\windows\temp\rar.exe
            "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\ok.rar c:\windows\web\
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:3380
          • \??\c:\windows\web\lsiss.exe
            c:\windows\web\lsiss.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3656
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 500
              5⤵
              • Program crash
              PID:4808
      • C:\Windows\Temp\systen.exe
        "C:\Windows\Temp\systen.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4568
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\windows\temp\ok.bat
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:4184
          • \??\c:\windows\temp\rar.exe
            "c:\windows\temp\Rar.exe" e -y -ping c:\windows\temp\ok.rar c:\windows\web\
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            PID:4068
          • \??\c:\windows\web\lsiss.exe
            c:\windows\web\lsiss.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:536
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 500
              5⤵
              • Program crash
              PID:5012
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3656 -ip 3656
      1⤵
        PID:1028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 536 -ip 536
        1⤵
          PID:2908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\11a.bat
          Filesize

          240B

          MD5

          af2d245f8dc47c66c9725571696f9f22

          SHA1

          cfb7d46c274393b7a7cff8977cec62918e40e029

          SHA256

          1c54c826a129e600bceb3305cec8da9c7835f6d041054c6a9eac78aefdfb3fa0

          SHA512

          840c75bf803ebb0bbc1012a5bb6d7ad594544891040cf56b98b92f6ddc6fb2b1c7c8b9ff7fdb29c8173299c6ed33939ed745aaaf20d0c92bcc810189a261ac24

          Download Submit

        • C:\Windows\Temp\00.vbs
          Filesize

          7.6MB

          MD5

          d62a2a6cc83c50b299a5a860428da307

          SHA1

          f1deb73d1e657e58577a4532995feb23ed1b423c

          SHA256

          fd4af098a3a8e530a957b86d9034167875d34933a8a3d3fd3d3652a454876dfa

          SHA512

          0f4d5344edb4a727a47fbcabf02821e7374cf29f96dac90382d27265b72fd62718e5c7cf6abeb76c3b0891c81abe349703508badf263192ce9ecb40e1b7522bd

          Download Submit

        • C:\Windows\Temp\rar.exe
          Filesize

          310KB

          MD5

          0a5680183c0089a64621e211917664d8

          SHA1

          8525d73c99e28413e97a094c99950e1806786246

          SHA256

          c7d6bfe9d26d1ecdd9f2e7f3f892a4d32030949937f86938edcb1995655c2814

          SHA512

          b843b8994c764c3761bef8d34eefb312c9d9567b3f4aadc38008caf42d0cdb82c33276203e4210adcc1e8c567268ebdf01a0a1e839694811932889ac971bb051

          Download Submit

        • \??\c:\windows\temp\00.txt
          Filesize

          7.6MB

          MD5

          db40c3f730de6968349a661cd46875ff

          SHA1

          c5bbd7957201166e2c8d863a49757ddd0bebabfa

          SHA256

          c95ddc9723d5059fd9934edd8aea539cff5e6479285a631ff101773ec12c17ea

          SHA512

          59a48a00b96b94a2042b10ccdf0e8b09103d6fbd639d7d5802d4db5267b6b003dd75d16d3e9ade21d180987ec8add74a4f71c652ce099af26dea8e63020f0503

          Download Submit

        • \??\c:\windows\temp\125.bat
          Filesize

          1KB

          MD5

          7526ddc332792483e84261659cd39aed

          SHA1

          384fbe01332a6302bc6a3c77025e1dc71185f952

          SHA256

          f4049d98eeead98dbf1ba8b1ee8db45cc9ab9a1d240b5265f6ccc618de3a44c0

          SHA512

          c8a5dd7da77ba8711662af2efb4a9b3c94f53df6069d56a07a08065c817feee9cae44dd83b383577aa80ab421068ac9dcfa0e84b91880af67a452eb580689e13

          Download Submit

        • \??\c:\windows\temp\md5.txt
          Filesize

          1KB

          MD5

          6b987232a21dfea0e08fba135ec8bfa4

          SHA1

          8cd2c6d0b2867d4f72b0d4a76373be47e9f8ea04

          SHA256

          1fc7eb94e01cd0479eb361f9eb2b7e07fe1509268d3c3071356dc44703f3026a

          SHA512

          d7532e617cd7c33ec2637b029d2d9a9a2cd87616f61c263c51f03289810f9a8d26d8849410ed31214aa082d49831a362b379d46a34a2a4d0935b3b7f530620fa

          Download Submit

        • \??\c:\windows\temp\ok.bat
          Filesize

          368B

          MD5

          971b72c1a1297f1a5b828e7eb011ef98

          SHA1

          8f42402ff6b452b55c243c746cb00e78131c7fba

          SHA256

          31514d44c421799d991dd0b8d001e45eadd5d880946c15f846856b35e10d5565

          SHA512

          b0851262fd6cd04aaa3c1a947d10ccba1c5c91aeba02e0e0a131c7f5195d0948c82794cab9642ac32dcce19f550122ed40dcbdd43c5e4eea53b8e9274c5b3466

          Download Submit

        • \??\c:\windows\temp\ok.rar
          Filesize

          232KB

          MD5

          b131d5353fa3402a133142a6dc0a2b80

          SHA1

          fcbe5afe1705afabb411ff83e6cab2c715cd48eb

          SHA256

          e7a4d177abd8369c0a8c0278bcd55e9f171cd18a940694bee0846edf6a9469bc

          SHA512

          cd08d34354e20a2b3cb440aec83e4424dd96c866bd6a1aa2386e184ef0efae2b1a676a2f6314a4f546cd29fe30821c5130ad441e33b2eb5fb406187ceb2e8b8c

          Download Submit

        • \??\c:\windows\temp\usbhard.rar
          Filesize

          5KB

          MD5

          62b9eb2d18689daf231c4297219ecc97

          SHA1

          02d23d2de3a2a2f0cf7e743f0b993e962e5e51c1

          SHA256

          1dc23f23fecff10a0fb4ce5d18eea801bb1f851d51ce2023b1b19c859fdcded0

          SHA512

          86337d29d9d1b9d8a4f6a71bc22062429442743d4879bbd09df9e616e4093cebb3b1494eefbcd76d216b237264cb9fd4d802cb5d32710726942f0b771e57c4ff

          Download Submit

        • \??\c:\windows\web\lsiss.exe
          Filesize

          55.6MB

          MD5

          29e30f738033f2685e1440ef8800d0e9

          SHA1

          c6a0f3fe9256f79c24c6fb497a67e3d645749b10

          SHA256

          dbf23b5d450e11b08509b8f89dfdb701b5a3e31cedbb77fa2baa746eaa3532a8

          SHA512

          534942ec04b7cf02f19b62a37d76c7765520a84d66b802af5461deacea0722fed884fa80f0189e02df18cef8b9dbb2ce16636d4a068e03d91aa6395754377b32

          Download Submit

        • memory/536-102-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/536-100-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/772-29-0x0000000000400000-0x000000000049A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/772-25-0x00000000001C0000-0x00000000001C3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/772-24-0x0000000000400000-0x000000000049A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/772-0-0x0000000000400000-0x000000000049A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/772-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/3380-72-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3548-20-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3656-78-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3656-81-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4068-92-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4360-62-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4360-58-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4640-52-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download