Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 22:53

General

  • Target

    4a60a0407f0b836bfcba46581e7b1497_JaffaCakes118.exe

  • Size

    114KB

  • MD5

    4a60a0407f0b836bfcba46581e7b1497

  • SHA1

    9373725022363230a486bde5d2ef4db295fa7f62

  • SHA256

    2279e3a12dd54692c3599d976f558148ba1a6ce0ca4058cffcd1d00d31bf2439

  • SHA512

    445fa53fa83a38a9efca13ac6d0321d52a174d073b170eec931771bb37fade3f0de15db6e74261eab7e5d0cca57150870b168d4bb51177b9d847972b471fd690

  • SSDEEP

    1536:GxgoGOdBGnY+1P75AzTliRVcwTLNZ/MhHPGbfSGZ+VLL3nNEYmYvwo:0aY307cwFVMRG7SGZ+VP9h

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    screamerko

Signatures

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a60a0407f0b836bfcba46581e7b1497_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4a60a0407f0b836bfcba46581e7b1497_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\system32\cmd.exe
      "cmd"
      2⤵
      • Subvert Trust Controls: Mark-of-the-Web Bypass
      • NTFS ADS
      PID:2952
    • C:\Users\Admin\AppData\Roaming\fbconnect.exe
      "C:\Users\Admin\AppData\Roaming\fbconnect.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2260

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\fbconnect.exe

          Filesize

          114KB

          MD5

          4a60a0407f0b836bfcba46581e7b1497

          SHA1

          9373725022363230a486bde5d2ef4db295fa7f62

          SHA256

          2279e3a12dd54692c3599d976f558148ba1a6ce0ca4058cffcd1d00d31bf2439

          SHA512

          445fa53fa83a38a9efca13ac6d0321d52a174d073b170eec931771bb37fade3f0de15db6e74261eab7e5d0cca57150870b168d4bb51177b9d847972b471fd690

        • C:\Users\Admin\AppData\Roaming\fbconnect.exe:ZONE.identifier

          Filesize

          27B

          MD5

          130a75a932a2fe57bfea6a65b88da8f6

          SHA1

          b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

          SHA256

          f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

          SHA512

          6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

        • memory/2260-12-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2260-14-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2260-19-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2260-18-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2260-16-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2260-11-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2260-15-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2280-10-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2280-13-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2280-0-0x000007FEF546E000-0x000007FEF546F000-memory.dmp

          Filesize

          4KB

        • memory/2280-2-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2280-17-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB

        • memory/2280-9-0x000007FEF546E000-0x000007FEF546F000-memory.dmp

          Filesize

          4KB

        • memory/2280-1-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp

          Filesize

          9.6MB