Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/10/2024, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe
-
Size
106KB
-
MD5
661f87ca199421a6376ffe641469bb46
-
SHA1
d863732dfd69ac74dd81bd9057ca6fcd100020c2
-
SHA256
05a7023b3e94b02f8d181fcdbb8375893078f0ebdf7728a8914247bc74ee6fcb
-
SHA512
82e7a767660def5a6e343646d791615bdb3abfb9d787831d8b001c05ba366ca16d6ee5a01bbe3b335e374447fc7dd7f9094fe65ebc677fcd60ff6769bb6ec0e3
-
SSDEEP
3072:590TTDXp7IrNid/wWzdgqK5BcQiZkNtEbvmC:otIZc/hzdgqKxiK
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2860-3-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2776-8-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2776-7-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2860-9-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/1780-14-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral1/memory/2860-16-0x0000000000400000-0x000000000044F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2776 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2776 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2776 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 30 PID 2860 wrote to memory of 2776 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 30 PID 2860 wrote to memory of 1780 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 32 PID 2860 wrote to memory of 1780 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 32 PID 2860 wrote to memory of 1780 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 32 PID 2860 wrote to memory of 1780 2860 661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\661f87ca199421a6376ffe641469bb46_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\661f87ca199421a6376ffe641469bb46_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\661f87ca199421a6376ffe641469bb46_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\Windows\shell.exe%C:\Users\Admin\AppData\Roaming\Microsoft\Windows2⤵
- System Location Discovery: System Language Discovery
PID:1780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396B
MD5df7c6813d70a8932b8b8137604c35403
SHA12ab2693d37dd7a9d4e5d16da2bdaaa6c75037371
SHA2566b80b67d9715604d62c8de3cf40d90c982db54932661dd9b4bcf647e53bc506a
SHA5126a8071bbc4dff33c0db0ab2970ab04ab77f75ae9affe132797bafe82debc5b48ee043c29c1a5dc8c56d493d89b148828b737a224f696aebbe527860c221407b4
-
Filesize
792B
MD50e312660e3ad13b1e3f1d7a265b668ff
SHA16f04c773aa04c7ab6994634b025ef1334caaff3a
SHA256f2a62e4a2523348d8de2bf25becf42db5a92791010a0f7f6bb80773e39d4a4fd
SHA51275b426593ef6a8cefdd46997d4e6dcb724ea5a135e5c9dc5fc75f914817823db495c812ac7f5b052f7a471c8ab08a38408ec199a69db92536cb6ed6a96d9ca17
-
Filesize
1KB
MD518df444f2795c1911aa7b2ffd4956ff9
SHA18b4791c1c8770ed60ddecd484e1625e772b03c3c
SHA2564961d264971d76cc321951a2697a1539b544b2c7bd7ad1477ef1a145b6ba76d5
SHA5129e521a068256018facff02af2a4a9615ceb588a261db55c47d55ba79f6833746297f933b715114b6a073d080afe0c7c9d0c70bfca0c096fb8aa19e1e41fd99a1