Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 22:27
Static task
static1
Behavioral task
behavioral1
Sample
4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe
-
Size
420KB
-
MD5
4a4ba4c3d817f5dec20168204945809b
-
SHA1
69c04303edee7a15af2760144610f2ba89655573
-
SHA256
67c4eb554e88b85c01e46d32d4f65a7119ea914c8a49451e9553ad45ad1ef51b
-
SHA512
82a488fa1b13c092a616f3e9ea2aac268c1d6b0f7775cd80c9817078cfd44d6f620ac748bd09e88e4688df962d5ac022bc810fa1799b70195c911319edff35ea
-
SSDEEP
6144:0VEaAUYgRkiRfJc7ys9Ug5j8on5GtHIuu3bG7yRncvwf+0Zz1VvhyxeMnyfTr8jJ:0rHbR2ys9H5j8BHIu74ndf+0dW5IrCN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2652 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exe -
Loads dropped DLL 5 IoCs
pid Process 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2372 set thread context of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32 PID 2372 wrote to memory of 2652 2372 4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exeC:\Users\Admin\AppData\Roaming\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD50254f8bb5bcb4e8c1a3a47ffa27bbe0e
SHA1093b480409486d7a0585132a7db7dec57d12ae64
SHA2566e8991e5ed5af7582b4855d51dd5fb2818f8406db3f14bfaaa857aff1c15d28f
SHA512009877f541d6f779a64d5b0f10e28e8b2815bf10b906264997f3e941c5c8be1d611b1137b2898ba482a5d8fbfb27431ea45225bc1197aa3671fd3f6029f16b88
-
Filesize
16KB
MD549caff636556846143cf21820263b7c5
SHA1798485ba971c63d9b5a6736b63b0b66cf79223bf
SHA256b1efa45ad63dcfb6c942b194790aff99bef9f808a01f56d829897d4ee5d6ee0a
SHA512bf7b339b747eb18025975ce4d87fd460104fff34ee64b83e83ccb130ca61f092c33fadf5016d0e7071f93326b1f49c1310d51b16fd5905ef4f71b0d5303da9d4