Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
-
Size
349KB
-
MD5
4a3dcc3024cf40f56bc4563f3095d905
-
SHA1
2965ba4c677a9124f1f6d7e21bcc7f9e97cb6fe3
-
SHA256
25e7b84fbbd135e31c0ee1e0569ebf39d663716768297a65a603cf4636a01ca8
-
SHA512
604c1c255091ac3e4dc181ab06d35f68c976d579008d7d31790d1fd5306b0aa95db5fad757906eaa8501fa1f7a358e9671e4d35c53a73289d42564e02b204c9f
-
SSDEEP
6144:cMYC34VQAAKdK70YGbgn7L+cJwstSTtP61op1G8i:IA4eAc70DberqTt6r8i
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1924 mcuicnt.exe 2092 Steam Hack v15.exe -
Loads dropped DLL 3 IoCs
pid Process 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyip.akamai.com -
resource yara_rule behavioral1/files/0x0008000000015d7f-9.dat upx behavioral1/memory/2092-21-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral1/memory/2092-23-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcuicnt.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1924 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 30 PID 2120 wrote to memory of 1924 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 30 PID 2120 wrote to memory of 1924 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 30 PID 2120 wrote to memory of 1924 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 30 PID 2120 wrote to memory of 2092 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2092 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2092 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 31 PID 2120 wrote to memory of 2092 2120 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"2⤵
- Executes dropped EXE
PID:2092
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53ada5ac63566dbec7924f6107cb2145c
SHA1d4b3330d25c745931a7ef35e77ffe316c327cd29
SHA2561374eaff5631a59ebe3b540cd9f6bc91d2d667bf5580c6f5e1dcce6ed69715c2
SHA5123fdaadb1b8f784044dee67d3406eade53265b4ad97d6a1600d4d2502d5a3e476366590bd204c66bc347d5ef8014de076c6b45ecc5d55171743609fcc59ebdf3e
-
Filesize
5KB
MD5f02488b2f487ba67a91cc7b766d00001
SHA1620c522267dafd7e357940b7b12fc237988c0a25
SHA256f3621856ef4d534f3b6363da1d36a4225ef059ea8621b4d38b2d2aee39a98c41
SHA5123a9ad319dff52359949b6cc85664986f22e35f2a18eeb903518cc331780c42682411c975d0111d386eae8478fe3c228102fe55a5eb0fa5ab7252537a6aff2960
-
Filesize
466KB
MD517efb4c5f996f783e90be1eb0077ba40
SHA16631bb0d9dadce58250602b0dba4e3e8f16b6c97
SHA256b12c1758969e6440d3305bd9aecb6f7a77310296cc0c78840ed813e87285e71a
SHA512c0dd7dd736c0af38b5e350fd41db20789cb0489a051e6f2fc303d3964c5f184215e9aff7837c58ad2e107b25f7528084a07f35db6e62bb717467825fbb090f78