Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 21:22
Static task
static1
Behavioral task
behavioral1
Sample
4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe
-
Size
510KB
-
MD5
4a11900b9aa45745255a007bf279cb50
-
SHA1
a15147b400a93a55be087c7e23b921d65e5a1656
-
SHA256
01b614be847e7685953d5e998908d01e4e3ff163ec7176b8786c4fe0a8b53f59
-
SHA512
ea54be7c388398604da520757cd89bfeaddcf92e43e4648b455cd487b1e7e48a71413f2e1da065cfb45cedb5366896c088f4911a38cb803560cda8d86cee93f7
-
SSDEEP
12288:T4i+In3UrGCwjiKE1fo6o06fjnUFd6bLYBrXIA:TYIn3g3R26woFd6bsBrXb
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2372 set thread context of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30 PID 2372 wrote to memory of 1484 2372 4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\4a11900b9aa45745255a007bf279cb50_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
PID:1484
-