Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe
-
Size
5.7MB
-
MD5
5a673359f805a9349b7dbaa686cbc6e4
-
SHA1
2f31abdd1773521363234eb4d73970dbae46bb75
-
SHA256
b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0
-
SHA512
8aa30743bf3601d8395e07ae900f24f2fc7f016556693f0e71f2238165c29e1a296f8b44893f640d7a5d64b74740e76852e65ee844632167b8b4a4d2b7fd4b39
-
SSDEEP
98304:GswjbjOhJVHrhIW5xvgEEWhl3UE9h4NWvrrhm8AtrljsPojNwn/5xIp:JdtvEykE9hqWXXUMiOn/2
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x000d000000012276-6.dat family_stormkitty behavioral1/memory/1956-8-0x00000000012E0000-0x0000000001304000-memory.dmp family_stormkitty -
Executes dropped EXE 3 IoCs
pid Process 1956 build.exe 1260 RCC.exe 2992 GameWerCheatRust.exe -
Loads dropped DLL 5 IoCs
pid Process 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe 2596 WerFault.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 raw.githubusercontent.com 4 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2992 GameWerCheatRust.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2596 2992 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GameWerCheatRust.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2992 GameWerCheatRust.exe 2992 GameWerCheatRust.exe 2992 GameWerCheatRust.exe 2992 GameWerCheatRust.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2992 GameWerCheatRust.exe Token: SeDebugPrivilege 1956 build.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2992 GameWerCheatRust.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1956 2328 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 30 PID 2328 wrote to memory of 1956 2328 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 30 PID 2328 wrote to memory of 1956 2328 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 30 PID 2328 wrote to memory of 1260 2328 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 31 PID 2328 wrote to memory of 1260 2328 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 31 PID 2328 wrote to memory of 1260 2328 5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe 31 PID 1260 wrote to memory of 2992 1260 RCC.exe 33 PID 1260 wrote to memory of 2992 1260 RCC.exe 33 PID 1260 wrote to memory of 2992 1260 RCC.exe 33 PID 1260 wrote to memory of 2992 1260 RCC.exe 33 PID 2992 wrote to memory of 2596 2992 GameWerCheatRust.exe 34 PID 2992 wrote to memory of 2596 2992 GameWerCheatRust.exe 34 PID 2992 wrote to memory of 2596 2992 GameWerCheatRust.exe 34 PID 2992 wrote to memory of 2596 2992 GameWerCheatRust.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\RCC.exe"C:\Users\Admin\AppData\Local\Temp\RCC.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 9524⤵
- Loads dropped DLL
- Program crash
PID:2596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.2MB
MD57e088b115fa4207cfb39fb5c0af1efd3
SHA19bd0463048abb19af56da6699599cc61483dc851
SHA25600ba9963874ec7834f3c205647e5b5336efc36d68c627904350b92a819bc3bc0
SHA51245b0e5578ef3527a518600d5562af430964d00ec26ca84be4c77c5af70d4ca95f30cf0f29fedfa7a890108630e602ce7cef12ee303a677a96573e47f5f6a563f
-
Filesize
5.7MB
MD5e56e1ee0af12a066ee5004ea327c53ee
SHA150aaf0098ec7ae18a964711ee3ecc4b20da208da
SHA25640f450c93ce882fc29eabef25e8c13a7c3c8243de54c34d6a3bbc75aae69977b
SHA51292a03ba03ea3ae0903fd3e314bc6fa7c0d148a4849ac2f33792dfe9053068f21059fef9f37983a8adc31626eaf2a9e0d2d8fc8c52a885aed6b615c4a56f38f1f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
120KB
MD516fe7e3582098aaef78c616f1e85dab5
SHA13446d42b2cf4fb14e278b2e5f829c3350d5b1f23
SHA25607cf4c35d8ce3c40a8ea1ee7ae199b676e77cd89d1c6dc8400094fc9ac2aae8e
SHA512562d462823d0576c743775af481e804f81bb0ff8a5734ba642d2b01df7226e9d0ff95d6d3959b0f8875d2453efc3efe79572a15fca3f8d135ee8932d49c8c902
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7