Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
661adfe3178b66006a0254d01b40043b
-
SHA1
4c12d33ecf800186aaec43946e7435cfccc759da
-
SHA256
8ca394ae833145f348a6267c737abd9cb6708d513d67ab8d415328c89ae20f0a
-
SHA512
0a47f8629a9a09ada86373499c01fb53e1a288bced6d503f14a8e31695bccebb6d33511947c4595c566b7760b1a00745b36e867cc9b768c3b898db88a5ab6707
-
SSDEEP
24576:DwEsmYlus9hwv35nGOtSXJbRJWGoTo5pelJWir:D7sus9hguJWGoTo5pea6
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2232 set thread context of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 2708 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30 PID 2232 wrote to memory of 2708 2232 661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\661adfe3178b66006a0254d01b40043b_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2708
-