Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 08:51
Static task
static1
Behavioral task
behavioral1
Sample
6632b5a004da336598134d299c274598_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
6632b5a004da336598134d299c274598_JaffaCakes118.exe
-
Size
785KB
-
MD5
6632b5a004da336598134d299c274598
-
SHA1
36cc876002ab5f87fc1e0d3e61263858c7d20804
-
SHA256
4bbb3b453847242076fecd01be594d5bd506e2f56e861a30e589177769435581
-
SHA512
1fde3998eee550678dccf674747dcff4e3e3065609058bdd9d561b890ae3c8e860bd229c6563c083dad06a5d77f4c7c86e873ba3fcfb935e0156558644950e4d
-
SSDEEP
24576:RuqTKog8fTlsBA44rK0xL8Uj62yhLqZ4u6RSiFKwoJS3kOpUwO5wK:wqTKog8fBgAJK2rchuZroKwoJS3kOpUJ
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6632b5a004da336598134d299c274598_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2028 6632b5a004da336598134d299c274598_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2028 wrote to memory of 4416 2028 6632b5a004da336598134d299c274598_JaffaCakes118.exe 98 PID 2028 wrote to memory of 4416 2028 6632b5a004da336598134d299c274598_JaffaCakes118.exe 98 PID 2028 wrote to memory of 4416 2028 6632b5a004da336598134d299c274598_JaffaCakes118.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6632b5a004da336598134d299c274598_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\875.bat2⤵
- System Location Discovery: System Language Discovery
PID:4416
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
785KB
MD56632b5a004da336598134d299c274598
SHA136cc876002ab5f87fc1e0d3e61263858c7d20804
SHA2564bbb3b453847242076fecd01be594d5bd506e2f56e861a30e589177769435581
SHA5121fde3998eee550678dccf674747dcff4e3e3065609058bdd9d561b890ae3c8e860bd229c6563c083dad06a5d77f4c7c86e873ba3fcfb935e0156558644950e4d
-
Filesize
175B
MD52737aa08c48a947cf15191577c9d8b54
SHA1455d5b243b0ff07fa555ffced989de9b5737596c
SHA2560b1175d2da76322f3a8f88ba4d903839b88bf0007684bafe3360b892ed32bd52
SHA512544b423e1c115e96b830ced596dcfe8ad46f0f1bd22f67b3e83281f7dd59f2177d39f854e369957e7762fec08f9e094f5bff90aa384a358e07ec0f6861bd088b