Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 22:27

General

  • Target

    4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe

  • Size

    420KB

  • MD5

    4a4ba4c3d817f5dec20168204945809b

  • SHA1

    69c04303edee7a15af2760144610f2ba89655573

  • SHA256

    67c4eb554e88b85c01e46d32d4f65a7119ea914c8a49451e9553ad45ad1ef51b

  • SHA512

    82a488fa1b13c092a616f3e9ea2aac268c1d6b0f7775cd80c9817078cfd44d6f620ac748bd09e88e4688df962d5ac022bc810fa1799b70195c911319edff35ea

  • SSDEEP

    6144:0VEaAUYgRkiRfJc7ys9Ug5j8on5GtHIuu3bG7yRncvwf+0Zz1VvhyxeMnyfTr8jJ:0rHbR2ys9H5j8BHIu74ndf+0dW5IrCN

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Roaming\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exe
      C:\Users\Admin\AppData\Roaming\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2652

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\GetProcAddress.dll

          Filesize

          15KB

          MD5

          0254f8bb5bcb4e8c1a3a47ffa27bbe0e

          SHA1

          093b480409486d7a0585132a7db7dec57d12ae64

          SHA256

          6e8991e5ed5af7582b4855d51dd5fb2818f8406db3f14bfaaa857aff1c15d28f

          SHA512

          009877f541d6f779a64d5b0f10e28e8b2815bf10b906264997f3e941c5c8be1d611b1137b2898ba482a5d8fbfb27431ea45225bc1197aa3671fd3f6029f16b88

        • \Users\Admin\AppData\Roaming\4a4ba4c3d817f5dec20168204945809b_JaffaCakes118..exe

          Filesize

          16KB

          MD5

          49caff636556846143cf21820263b7c5

          SHA1

          798485ba971c63d9b5a6736b63b0b66cf79223bf

          SHA256

          b1efa45ad63dcfb6c942b194790aff99bef9f808a01f56d829897d4ee5d6ee0a

          SHA512

          bf7b339b747eb18025975ce4d87fd460104fff34ee64b83e83ccb130ca61f092c33fadf5016d0e7071f93326b1f49c1310d51b16fd5905ef4f71b0d5303da9d4

        • memory/2372-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

          Filesize

          4KB

        • memory/2372-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

          Filesize

          5.7MB

        • memory/2372-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

          Filesize

          5.7MB

        • memory/2372-39-0x0000000074DE0000-0x000000007538B000-memory.dmp

          Filesize

          5.7MB

        • memory/2652-22-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-20-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-18-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-29-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-33-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-32-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2652-26-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-38-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

        • memory/2652-24-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB