9b2b11e608fd433058aa229029d875854bda1dad07ca865f63f0e571afa413b8

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe
Size

208KB
MD5

56aa9569c2b8f2d20820d3b6e9aa6fd7
SHA1

57f861e5378802f40aaac882ba23b9a89336eb52
SHA256

9b2b11e608fd433058aa229029d875854bda1dad07ca865f63f0e571afa413b8
SHA512

e6a741710e33bb8d093fa70bb8ed92bfa9ee3b23028e7e487aa1c7a65789f833b354304d4442905b80b53b9d6449d8d0fc1be7ce9adffb780774319adf3c1ae9
SSDEEP

6144:IO5eGyWOa0WkWgtrHhKXhiv7n4X+DoNO:IGeGI8ktrUXhivpEN

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdate.lnk	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3860	msftdm.exe
1676	msftdm32.exe

Loads dropped DLL 12 IoCs

pid	Process
3860	msftdm.exe
1676	msftdm32.exe
3860	msftdm.exe
3860	msftdm.exe
3860	msftdm.exe
3860	msftdm.exe
3860	msftdm.exe
3860	msftdm.exe
1676	msftdm32.exe
1676	msftdm32.exe
1676	msftdm32.exe
1676	msftdm32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4692-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral2/memory/4692-99-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msftdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msftdm32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3860	4692	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe	84
PID 4692 wrote to memory of 3860	4692	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe	84
PID 4692 wrote to memory of 3860	4692	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe	84
PID 4692 wrote to memory of 1676	4692	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe	85
PID 4692 wrote to memory of 1676	4692	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe	85
PID 4692 wrote to memory of 1676	4692	56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56aa9569c2b8f2d20820d3b6e9aa6fd7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Roaming\Mozilla\MSDLLD~1\msftdm.exe
  "C:\Users\Admin\AppData\Roaming\Mozilla\MSDLLD~1\msftdm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3860
- C:\Users\Admin\AppData\Roaming\Mozilla\MSDLLD~1\msftdm32.exe
  "C:\Users\Admin\AppData\Roaming\Mozilla\MSDLLD~1\msftdm32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msftcore.dat

Filesize
670B

MD5
5c71adad2f870c6f84f24182104f755d

SHA1
fe8e165ab86c1d2238812c22203a553b83f1456f

SHA256
7e17d62458a1bd2e83f9e7c6a39e2ce5d3cc92e26a2627bf92dca74d34ea71c7

SHA512
a3311420b3e3ee0671490edb32b55a945f81f5b0bd15fe0f81e26ad0ea74f03e78cc11d26118b757f299eba06b4d25083704016be99406a3f0ea3953d39e89de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftcore.dll

Filesize
53KB

MD5
ef678e96d74b5f8d259927806002a8ce

SHA1
caa553f2e565ce116b5a1046268e57687aa23bf9

SHA256
a6803e8c13a34ff40db26359ea1fa75e0ce90ba0b71ffaabc9270eaed7207caa

SHA512
ff7eab01bde539b6bfbe1d5e174a0d176883fb815b98b26c287c4b84c5680cb3f5c4eaf064b6ceaac90df862224ba210b8c349c7647069ebb9072678ca297bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftdm.exe

Filesize
2KB

MD5
18aa2f91baae224659475f2792b50f0d

SHA1
8f288089a80f4bacabd105d8dd985de4ed482c41

SHA256
495f6d130bf4e72123982c5b317da72cf16f22624d75b558607dc870a18eccb4

SHA512
4b2d5660ab3925943981dd0d00cdaf3a47b3b8d303e34f4bb8c6e78cb42cbdd009126421df65909ecad8697131844f472f906ac2bf2bdf522c5b0841cebce576

Download Submit
C:\Users\Admin\AppData\Local\Temp\msfteml.dll

Filesize
45KB

MD5
a88cd800c0af6efc19ba01263a8620b3

SHA1
7f5ae110e01502de358b8ab4bb548ac9d2fff86a

SHA256
0cab0de10823808a0b4cff5505ab341e7b18b449fb317b843b6cf3f29255d8b4

SHA512
12ce7c9ded506aab00233ee6b8582221b0d3fed33c73828531fbab6affbe1bdd21d5badb00beadfdc0b6f6a84d5ee95fa235027837fa61bb30a1324d2069b381

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftldr.dll

Filesize
29KB

MD5
8fb82fd6b3e477feffc178fae7bcd9b6

SHA1
37525d5c2d4b50f6867c5a491343632c6b40987c

SHA256
94a90c02a090166614d1b5903cd6b8dd4c2161c33a0be75245cd4864d67d01fc

SHA512
a21fc4941d49cea0d3494daa0e16ae3f25f9140954977f7ec63d897d91c0b36f1cce2dc4d18c87dd7e73d3ea91329c92f930f9ee6f2a0d1b7a08121c9def44d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftmod.dat

Filesize
24B

MD5
e21f42c8e892bcb102b45fd92ae946f2

SHA1
018c9f80a4f603c12e0f7014fa8c77116434ba09

SHA256
1df3a4c0aea1b2cdc377ed1359f27efcfecc4a80c3d1a8a785568fb5552f91a9

SHA512
130d4bf292d25b44d68affc26318b033bcd532942f25f0fa78620b934095d6c2ae8ff4c2b2632233eaf25f85deca9f0349cba405b12e0c898254c00329403de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msftstp.exe

Filesize
15KB

MD5
6b135a45687c542ca12408a93c33a194

SHA1
231c2682159d8b81d79fc62b5b4ef5221025019c

SHA256
7158e9f7eaa91c7e47cd5acc1b6adb20e96a4cd4017fc4c10d1c14a598f707e9

SHA512
3e6dac597da4ab95ca8b9247b88d10f9c09bd5e9caa66e674a3f5508e5417c6441062f160f7ec9cefc3e4c2c8839c6a53a5f07545f579fc58e1af48ce0ec3a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msfttcp.dll

Filesize
18KB

MD5
691b31f3f19be80e224a23589aa74c6b

SHA1
1e8757d4572113d9dad543b2b381deae97d7095a

SHA256
f1af80ea34dcaaa59ca7d4bba3db8424cd2a9566accc729c882e732a1f2802ca

SHA512
712452ec698eae20bfd6fae2ea341005e32c7e54c909bf9a70bfc8439bec471aa2a056e5bf6cebb3592fd50c1d2f60e27f91707d40d762fa2b5917e07256b4b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\MSDLLD~1\msftldr.dll

Filesize
58KB

MD5
e429c94fda1c113fbc70875d1ba7b39d

SHA1
9e58b867447838f573b1a7a31aadd9297a56b226

SHA256
cdd63227691f623ba7b20d5c440a7153895e2b03286085d9f1c804781d40aea0

SHA512
370e1e328038d530839780d0a2e1d8273f556762ef0396476212e6cf0257c60313c6b0c2b89113195c23ed247ff267826da716b1f46734e329139bac26461dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\msdlldll83\msftcore.dat

Filesize
729B

MD5
dbe6967b072786325a642342a49e60ad

SHA1
8bd1c8857a5b2031c492d9cb16f270f078040575

SHA256
45977659e23414ce770f12d3a0daa6c1ff658fea9162959bfad380c84522ad55

SHA512
5cb0016a0c412bc46c3fa4c0e8f189a3eff7b63f47c26fc66ae512ff2fc9614a353e6211a012f0780bd1606b4482d72d37084ded53516d824eaffb15fa52f43b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\msdlldll83\msftcore.dll

Filesize
105KB

MD5
ba4edfadae959439407d5b7b3df731fe

SHA1
0722adc210ff654cc82dabb213ed518c5aa3ecfd

SHA256
f3adcc42419b49681d7655a3acb0dc9d178e8e931b8f2205d4e50ce87c90d19a

SHA512
7b032ffd56ef3e54c189e86d68355a97f27bf3dbaa906ca46f2ac57245d9f3d3318595c541a838255f98f476aa736f17c636c2f575cd4cc8030dc3c731414b98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\msdlldll83\msfteml.dll

Filesize
88KB

MD5
7c241daf329510baae970172bf044883

SHA1
009b049fcdd3bc09067f43480d874d648c54a07c

SHA256
ecdc04f6e53103d4f58455b567284144697f0859b94532a067e3c36bcad3134a

SHA512
715a2f2ab88ee80eb88cf56f1fdd556bfb849a8e581bd76c9965a4a5c8605009dcccb2c13789c79044274b65e76e7604fa0c6c6202dbdb5e62e59263173959cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\msdlldll83\msfttcp.dll

Filesize
37KB

MD5
3befea4643efc590f816fa37443c4872

SHA1
5ebbd78dbd717b9c2b0e30b87cb1099596ffe6c8

SHA256
e3bd1ef9f727f71445a2499d269b9b2ef75a35cd061f8fcb032de24db4178754

SHA512
0fb334f03b5fa8b9fb49b2732d9a38bea556ba477e7b9cc81bfa50664836814353544a87e15e99f725ee6d61cbf65fc6de4e44dc7f051d891f975041ee8c357f

Download Submit
memory/1676-127-0x00000000006F0000-0x00000000006FD000-memory.dmp

Filesize
52KB

Download
memory/1676-124-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/3860-119-0x0000000001F00000-0x0000000001F0D000-memory.dmp

Filesize
52KB

Download
memory/3860-115-0x0000000001F00000-0x0000000001F2D000-memory.dmp

Filesize
180KB

Download
memory/3860-103-0x0000000001F80000-0x0000000001FA3000-memory.dmp

Filesize
140KB

Download
memory/4692-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4692-99-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download