Analysis

  • max time kernel
    136s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 22:10

General

  • Target

    4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe

  • Size

    349KB

  • MD5

    4a3dcc3024cf40f56bc4563f3095d905

  • SHA1

    2965ba4c677a9124f1f6d7e21bcc7f9e97cb6fe3

  • SHA256

    25e7b84fbbd135e31c0ee1e0569ebf39d663716768297a65a603cf4636a01ca8

  • SHA512

    604c1c255091ac3e4dc181ab06d35f68c976d579008d7d31790d1fd5306b0aa95db5fad757906eaa8501fa1f7a358e9671e4d35c53a73289d42564e02b204c9f

  • SSDEEP

    6144:cMYC34VQAAKdK70YGbgn7L+cJwstSTtP61op1G8i:IA4eAc70DberqTt6r8i

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe
      "C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4084
    • C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe
      "C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe

          Filesize

          5KB

          MD5

          f02488b2f487ba67a91cc7b766d00001

          SHA1

          620c522267dafd7e357940b7b12fc237988c0a25

          SHA256

          f3621856ef4d534f3b6363da1d36a4225ef059ea8621b4d38b2d2aee39a98c41

          SHA512

          3a9ad319dff52359949b6cc85664986f22e35f2a18eeb903518cc331780c42682411c975d0111d386eae8478fe3c228102fe55a5eb0fa5ab7252537a6aff2960

        • C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe

          Filesize

          466KB

          MD5

          17efb4c5f996f783e90be1eb0077ba40

          SHA1

          6631bb0d9dadce58250602b0dba4e3e8f16b6c97

          SHA256

          b12c1758969e6440d3305bd9aecb6f7a77310296cc0c78840ed813e87285e71a

          SHA512

          c0dd7dd736c0af38b5e350fd41db20789cb0489a051e6f2fc303d3964c5f184215e9aff7837c58ad2e107b25f7528084a07f35db6e62bb717467825fbb090f78

        • C:\Users\Admin\AppData\Local\Temp\ufr_reports\NO_PWDS_report_15-10-2024_22-10-16-7F6F77BC-LOMJ.bin

          Filesize

          1KB

          MD5

          87e96a9deaed933dc339667929aa0040

          SHA1

          dd21005b780218b8048e444b7320b300a17a2ca4

          SHA256

          eb7ec437ab78d3d3c896782e652a7a6210b92a1605617f51966a1fe26574fd89

          SHA512

          88aaa8560fba758e1bf4e08285e76c3302e46be388abfebe5031bd353afe0a5ad10228e56951736d36b86fb41cca8e13874ababe855952ebe3c270324a9a62b5

        • memory/216-0-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB

        • memory/216-29-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB

        • memory/216-37-0x0000000000400000-0x00000000004CA000-memory.dmp

          Filesize

          808KB

        • memory/1740-22-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

        • memory/1740-25-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB