Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 22:10

General

  • Target

    4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe

  • Size

    349KB

  • MD5

    4a3dcc3024cf40f56bc4563f3095d905

  • SHA1

    2965ba4c677a9124f1f6d7e21bcc7f9e97cb6fe3

  • SHA256

    25e7b84fbbd135e31c0ee1e0569ebf39d663716768297a65a603cf4636a01ca8

  • SHA512

    604c1c255091ac3e4dc181ab06d35f68c976d579008d7d31790d1fd5306b0aa95db5fad757906eaa8501fa1f7a358e9671e4d35c53a73289d42564e02b204c9f

  • SSDEEP

    6144:cMYC34VQAAKdK70YGbgn7L+cJwstSTtP61op1G8i:IA4eAc70DberqTt6r8i

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe
      "C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1924
    • C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe
      "C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"
      2⤵
      • Executes dropped EXE
      PID:2092

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_15-10-2024_22-10-16-616974B5-GFKD.bin

          Filesize

          1KB

          MD5

          3ada5ac63566dbec7924f6107cb2145c

          SHA1

          d4b3330d25c745931a7ef35e77ffe316c327cd29

          SHA256

          1374eaff5631a59ebe3b540cd9f6bc91d2d667bf5580c6f5e1dcce6ed69715c2

          SHA512

          3fdaadb1b8f784044dee67d3406eade53265b4ad97d6a1600d4d2502d5a3e476366590bd204c66bc347d5ef8014de076c6b45ecc5d55171743609fcc59ebdf3e

        • \Users\Admin\AppData\Local\Temp\Steam Hack v15.exe

          Filesize

          5KB

          MD5

          f02488b2f487ba67a91cc7b766d00001

          SHA1

          620c522267dafd7e357940b7b12fc237988c0a25

          SHA256

          f3621856ef4d534f3b6363da1d36a4225ef059ea8621b4d38b2d2aee39a98c41

          SHA512

          3a9ad319dff52359949b6cc85664986f22e35f2a18eeb903518cc331780c42682411c975d0111d386eae8478fe3c228102fe55a5eb0fa5ab7252537a6aff2960

        • \Users\Admin\AppData\Local\Temp\mcuicnt.exe

          Filesize

          466KB

          MD5

          17efb4c5f996f783e90be1eb0077ba40

          SHA1

          6631bb0d9dadce58250602b0dba4e3e8f16b6c97

          SHA256

          b12c1758969e6440d3305bd9aecb6f7a77310296cc0c78840ed813e87285e71a

          SHA512

          c0dd7dd736c0af38b5e350fd41db20789cb0489a051e6f2fc303d3964c5f184215e9aff7837c58ad2e107b25f7528084a07f35db6e62bb717467825fbb090f78

        • memory/2092-21-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

        • memory/2092-23-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

        • memory/2120-0-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB

        • memory/2120-20-0x0000000002270000-0x0000000002278000-memory.dmp

          Filesize

          32KB

        • memory/2120-19-0x0000000002270000-0x0000000002278000-memory.dmp

          Filesize

          32KB

        • memory/2120-28-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB

        • memory/2120-29-0x0000000002270000-0x0000000002278000-memory.dmp

          Filesize

          32KB

        • memory/2120-30-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB

        • memory/2120-37-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB