Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe
-
Size
349KB
-
MD5
4a3dcc3024cf40f56bc4563f3095d905
-
SHA1
2965ba4c677a9124f1f6d7e21bcc7f9e97cb6fe3
-
SHA256
25e7b84fbbd135e31c0ee1e0569ebf39d663716768297a65a603cf4636a01ca8
-
SHA512
604c1c255091ac3e4dc181ab06d35f68c976d579008d7d31790d1fd5306b0aa95db5fad757906eaa8501fa1f7a358e9671e4d35c53a73289d42564e02b204c9f
-
SSDEEP
6144:cMYC34VQAAKdK70YGbgn7L+cJwstSTtP61op1G8i:IA4eAc70DberqTt6r8i
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4084 mcuicnt.exe 1740 Steam Hack v15.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.akamai.com -
resource yara_rule behavioral2/files/0x0007000000023ca8-16.dat upx behavioral2/memory/1740-22-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/1740-25-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mcuicnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Steam Hack v15.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 216 wrote to memory of 4084 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 85 PID 216 wrote to memory of 4084 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 85 PID 216 wrote to memory of 4084 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 85 PID 216 wrote to memory of 1740 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 86 PID 216 wrote to memory of 1740 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 86 PID 216 wrote to memory of 1740 216 4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a3dcc3024cf40f56bc4563f3095d905_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"C:\Users\Admin\AppData\Local\Temp\mcuicnt.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"C:\Users\Admin\AppData\Local\Temp\Steam Hack v15.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f02488b2f487ba67a91cc7b766d00001
SHA1620c522267dafd7e357940b7b12fc237988c0a25
SHA256f3621856ef4d534f3b6363da1d36a4225ef059ea8621b4d38b2d2aee39a98c41
SHA5123a9ad319dff52359949b6cc85664986f22e35f2a18eeb903518cc331780c42682411c975d0111d386eae8478fe3c228102fe55a5eb0fa5ab7252537a6aff2960
-
Filesize
466KB
MD517efb4c5f996f783e90be1eb0077ba40
SHA16631bb0d9dadce58250602b0dba4e3e8f16b6c97
SHA256b12c1758969e6440d3305bd9aecb6f7a77310296cc0c78840ed813e87285e71a
SHA512c0dd7dd736c0af38b5e350fd41db20789cb0489a051e6f2fc303d3964c5f184215e9aff7837c58ad2e107b25f7528084a07f35db6e62bb717467825fbb090f78
-
Filesize
1KB
MD587e96a9deaed933dc339667929aa0040
SHA1dd21005b780218b8048e444b7320b300a17a2ca4
SHA256eb7ec437ab78d3d3c896782e652a7a6210b92a1605617f51966a1fe26574fd89
SHA51288aaa8560fba758e1bf4e08285e76c3302e46be388abfebe5031bd353afe0a5ad10228e56951736d36b86fb41cca8e13874ababe855952ebe3c270324a9a62b5