287f092ee921d72efb66dfecbdd6a0d1af6e8092e19bb84607bae73942e8fe99

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551880105a444951b7d96b06d204820f_JaffaCakes118.exe
Size

250KB
MD5

551880105a444951b7d96b06d204820f
SHA1

ba48bd8baa236ddea40bab73c781bb52cbd5b8ab
SHA256

287f092ee921d72efb66dfecbdd6a0d1af6e8092e19bb84607bae73942e8fe99
SHA512

fb32352ee6b578b7c3f3b0a4401c05e9e1d17639d8245b6759620a648e38b79ac92b13c126104c4ba1b01a16426727f604bfce220638880ac1957a05c827fe05
SSDEEP

3072:hn1/uEAgDPdkBlyFZ+ScjaiKWbETBquAEXlqsUU6u/z0sVXLGwb//FPkf2DHZ2:h1OgDPdkBAFZWjadD4s56u/pGwZP/Q

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	51e565044f504.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	551880105a444951b7d96b06d204820f_JaffaCakes118.exe
2644	51e565044f504.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}	51e565044f504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}\ = "SaveAs"	51e565044f504.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}\NoExplorer = "1"	51e565044f504.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	551880105a444951b7d96b06d204820f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51e565044f504.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000195b1-18.dat	nsis_installer_1
behavioral1/files/0x00050000000195b1-18.dat	nsis_installer_2
behavioral1/files/0x0005000000019bf6-55.dat	nsis_installer_1
behavioral1/files/0x0005000000019bf6-55.dat	nsis_installer_2

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}\InProcServer32	51e565044f504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}\InProcServer32\ = "C:\\ProgramData\\SaveAs\\51e565044f53d.dll"	51e565044f504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}\InProcServer32\ThreadingModel = "Apartment"	51e565044f504.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}	51e565044f504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECB4C979-CF32-CD6B-ABEA-9C449629BF74}\ = "SaveAs"	51e565044f504.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2644	2860	551880105a444951b7d96b06d204820f_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2644	2860	551880105a444951b7d96b06d204820f_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2644	2860	551880105a444951b7d96b06d204820f_JaffaCakes118.exe	30
PID 2860 wrote to memory of 2644	2860	551880105a444951b7d96b06d204820f_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\551880105a444951b7d96b06d204820f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\551880105a444951b7d96b06d204820f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\51e565044f504.exe
  .\51e565044f504.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SaveAs\uninstall.exe

Filesize
48KB

MD5
6b42b90360ec3c62b9595fa4b8b4f865

SHA1
afb11e2e5c428ae258328b6909bfc8f1a0ab21a9

SHA256
625d9381ead94ec137fd5eba37c0f1df1ebf8f38fc46732f8d10ad6c3c5a1b9f

SHA512
448f231c5a25ec08cb956475c6c2ab8a2b5f241d8e1da779dc09d64e372c8320090647290963a203beb498a81e37410a19948f801889906c460c393e92084053

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
b423a3a8fbd6f453014729eaa66aa518

SHA1
9df2c5763f3508be48a5ef1f44f5e852d2b57ce5

SHA256
88b861b909842c08eaa533c67e1c175593778a6d7a8b12944383b93ab979b158

SHA512
a4c687f859f56843b146f870d28e31cb8fb47c381ea32740bec04f2c2027f89ce346cd0a1caaf451c198d0bc6cdd389b686428ae2008987f0bafe7ce76ffa86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
83632a7359b7c80932c426ef7624a7cf

SHA1
1dfc0188755f3e13737f3c974576a3031ccc3037

SHA256
51807d1467c65659a4fb4abaa24c29bd7dd4424cb12d03a5029606bdc710919c

SHA512
acf23b430278242ae587978ac4fd8630a5b5f9176edbe0704a78397c20808d9165de892dbb08c10e4e950339a6b472298a20f1e98dcf0c340743d77e792527ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
644739718d02a475e51b3bf9e66f9797

SHA1
f8d4ecc78673a4f8ef93b937e255631c0816e8e9

SHA256
495c6372f9d20b7f8f6e3adc336122e1925bf08ff9423bb4f82277a4e0158fc4

SHA512
76efb3e70e79c6ad3dcfda86df666d19c5b6e65f574890d812573f03a944082cf641b49b938d3bae757683e86916bd0f548eb083564eeeb73374701ca4a5e43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\[email protected]\install.rdf

Filesize
611B

MD5
c03788e127b8510f501cbe82252a3072

SHA1
850f457b4d241a583d59e564416112680edf5c09

SHA256
813ccaa27c789e5145d2b8413c9ff437b97e85e3cd889505baa401ff3f5731fe

SHA512
7091b1ed219db3b2689b7bc5be002459dcf4f5655a552075c83ff63b2b1b23bcc86caacede1d6bf2ef489d5dea36fdf6cc96d8fcdeb9cbed94ca821762000bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\51e565044f53d.dll

Filesize
116KB

MD5
05234975b085632d70d89c2f420c5107

SHA1
078fb2a3e5de54c3737a4541242a4725c02c6b9c

SHA256
a758ad4fdc8949ea005258075457a972eb0672d69d98d688117b85221fca096a

SHA512
f9fa6aee142e32875127feadebbe235f4f376b0c3b7415036b8afc81c0a09a8ba0c5ec9e1703f1a34b220b7646caa1ca02629918185c4afbafe6926014044c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\51e565044f53d.tlb

Filesize
18KB

MD5
c1e296ff01d3cf37f91c7473bdd9de52

SHA1
832e3d1ddeb5a0ceb5b13c1ee271eb94bf9bf2a6

SHA256
a8e54ad3e1fbc91d5a7b02bf177a24a02f2558419ce46859bf15859b81478492

SHA512
aeb1f3962746caa3858c27b4753959d5ec9db2727e94642d5db2710633a96e7ceef5f9c0ff3b358f83143b6594459b5d9a94e095fed7a5d1fa97ae6a3c4e564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\ebicgieaiaogocpkchnjdhfmcekeljgd.crx

Filesize
8KB

MD5
7b19bfed473fc1ce21bdc0d1ee6b35e9

SHA1
1c95e7dd2f3503f125f22470b4aebab97efa0318

SHA256
466fd30094afc7900fa41d6a88e92f91cec2207595b4a0a17c9cb1408b5225e6

SHA512
8a843c92d9f54b059fce23f94f8ad4d81f16307bd64c0a8fefde7203a62e5ae11f08b9710f3e9ed475f64500a70370f56ca1bf73d828c1fc238d2883f1e7ec12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3524.tmp\settings.ini

Filesize
6KB

MD5
5d41dc5a95ec77d2d6eef391c3d4a072

SHA1
80d1bbf8c59b08a1254dba0982f817328bd34c6c

SHA256
6bacfe5e9aae436aa75ebfbbbf404a0aadd58097577c4eb02d455a7ff32948f6

SHA512
1cafc1877ad56906a3a9aafed0314aa563605c05c740ca898bbbe413e4da500376bef0c6b370a91433c928f433d98efe2fa83bf5e5a042d67e573d9b195322b4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3524.tmp\51e565044f504.exe

Filesize
65KB

MD5
f325c5c19f0b1e7fe0258901f0b134e8

SHA1
6d2a27c23834eb8506901588c4854ae485f284e6

SHA256
8522d4d3dfa051ae8c8095d498b24c193a1574d7a04490806ae2991054984624

SHA512
4ae05b145f8e69fd732a9fe23aa4d0761dbcf663085ca722444c1b8d3c0ac98858d9ed3de1562299c1adb59fb7fcf0f4c989813c4be48b5fa4753322214958c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy364D.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit