Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2024, 14:01

General

  • Target

    66ef1c1a8d784bee97586bfa3b7ec260_JaffaCakes118.exe

  • Size

    716KB

  • MD5

    66ef1c1a8d784bee97586bfa3b7ec260

  • SHA1

    3d1fa1211fde37685cdd362db6136457f84032f1

  • SHA256

    328455d35ef48bff286bd6ed5405b53bd7ba08f67a5a0094e0b8cf293f4aa524

  • SHA512

    bfa1922d0c03f694acb22a2462574e8180ef7c8e5879eb432666a37355293008592577f936c6a843c506a7294de91bc060b450ca5f174651308c0eb9ab5dd699

  • SSDEEP

    12288:DKnekrL58BSB+2dmpWy/dr3JFg2zRFgdtxZKaByb+B85ZqWehI06w902kWbWrH8:4LiBSQSCWy/R3ydHHpB85ZqvhI06t2kU

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 63 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66ef1c1a8d784bee97586bfa3b7ec260_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\66ef1c1a8d784bee97586bfa3b7ec260_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\00294823\SgT.exe
      "C:\Users\Admin\AppData\Local\Temp/00294823/SgT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops Chrome extension
      • Installs/modifies Browser Helper Object
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • System policy modification
      PID:2708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\00294823\O9.dll

          Filesize

          222KB

          MD5

          e9b27306a18f18b88945cdf066de2fc9

          SHA1

          4d18490fbb336e261301a967047065dd561cc2f2

          SHA256

          a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c

          SHA512

          f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

        • C:\Users\Admin\AppData\Local\Temp\00294823\O9.tlb

          Filesize

          2KB

          MD5

          39d776f73d1d3f771aaa8c3561367c3a

          SHA1

          eef842aa02927bd7fbe7d569c5446ef1a2ea065f

          SHA256

          c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941

          SHA512

          3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

        • C:\Users\Admin\AppData\Local\Temp\00294823\SgT.dat

          Filesize

          5KB

          MD5

          6d4c5ee5ccb7574af59a07ab7be4b712

          SHA1

          f80d7056a9781eb736ed5238d596fbe74d897f0d

          SHA256

          3ed6fb3a705dac33a7240c0d1458277207b7b8510715c3dcc4fa41e81e14f7e9

          SHA512

          fb5fc1cfb83f78a099e13e5f1e7ab7b93bcd145d0b0e8504cfccd9e6595eecaed4eec4dac4e4ef4ef9a61e0bb1887846a38c207bffed2746ba3e407df92e7a10

        • C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

          Filesize

          2KB

          MD5

          1b53c596cfb1aa2209446ff64c17dabd

          SHA1

          2542da14728dcdbe1763f1ee39fe9ceae38ad414

          SHA256

          a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

          SHA512

          be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

        • C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

          Filesize

          98B

          MD5

          9546f11eba7f861f353a982a2318e614

          SHA1

          4aeca4e929cb0213e6e0fa822595164658c16c84

          SHA256

          0ff8b462e0e38c4526d87fe0755c2b1ad6efe1648f6201028d646e623d32728f

          SHA512

          c3bed596a5d297161a803cdfebc04ab2070c9f516a9b4d3eab1569b02c3be914487036b0c453a3b752804724d6f1c858e1453031fd0f28573f179ac38be4cc1a

        • C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

          Filesize

          9KB

          MD5

          15b9a18510da775d8a1bee3fd6b8601e

          SHA1

          9dde5d6d2eeb4f50381e8c90f192e42bb384c1a6

          SHA256

          51c92d52b2db3a41d6a9584ab031c414895f095742b9ab491fdc0819f0eb0f15

          SHA512

          eb0b3bb367e43c758628d015fd44d8f7131a730e1372233812095706e0e9645d1b82fab4b82b0675ab8b606edbb17dd972bda57049e69a1bf6c3d57bef535565

        • C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

          Filesize

          599B

          MD5

          f5022ccb5ab0b81a1e4894dd67cb0110

          SHA1

          34ca3fa4588278218c7f7333bb5ffbaaea7a3f05

          SHA256

          9890ada57f1eef98839a52ee8c2c5fae8875d53bc42184a98f7c15cfb3dd9da4

          SHA512

          e890a184ae5f16fd5002eccfdbf84c50e41a26be8c079513da0c3c52d8fa06ee128d2c7b64ac1aa880073c5afc3cfe9fa7ccdb120e828144f5a9854a5bcfd726

        • C:\Users\Admin\AppData\Local\Temp\00294823\pdjcipflepookpepijkngbcbjmmnfing\Goo.js

          Filesize

          5KB

          MD5

          a28f0f69f4f26bbf57f388b80f713e9b

          SHA1

          e41f501e57ce686cd3d35dd3375fe610d12c68c3

          SHA256

          8e647dd45db2638a3e138ca7fbf525c68cf63b0b3a028fdf99927669d4836ce1

          SHA512

          2e083b7315d36e704790266ad98b9e5f7f99c6793b5cf6fa9e40d4796f5e373803f6f510f15790190d64c1b98a1494b017cf3113a89961808b3c51bae0151667

        • C:\Users\Admin\AppData\Local\Temp\00294823\pdjcipflepookpepijkngbcbjmmnfing\background.html

          Filesize

          140B

          MD5

          8470867c0b2db24775dd82f89d14dde8

          SHA1

          f0364aa00ba0855c2039167c7c6a203ca986aa59

          SHA256

          9b036113f4be08601d25c3a8e7d14a2d89962cd6eb5c9cd36df013569da60982

          SHA512

          d74a62a5b860c5d1f8e18b3d4ea33f8988a52a38ac9adbfa99d2f8c5f0c69599470ae00e52c14b47e50046707751e89782130f34915e44e39e81e0a6e9dfcd63

        • C:\Users\Admin\AppData\Local\Temp\00294823\pdjcipflepookpepijkngbcbjmmnfing\content.js

          Filesize

          197B

          MD5

          5f9891607f65f433b0690bae7088b2c1

          SHA1

          b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

          SHA256

          fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

          SHA512

          76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

        • C:\Users\Admin\AppData\Local\Temp\00294823\pdjcipflepookpepijkngbcbjmmnfing\lsdb.js

          Filesize

          559B

          MD5

          209b7ae0b6d8c3f9687c979d03b08089

          SHA1

          6449f8bff917115eef4e7488fae61942a869200f

          SHA256

          e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

          SHA512

          1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

        • C:\Users\Admin\AppData\Local\Temp\00294823\pdjcipflepookpepijkngbcbjmmnfing\manifest.json

          Filesize

          499B

          MD5

          3a57f9f51bd4832e22b3a5122fac09ef

          SHA1

          3f8be62990497fc5451dfd94be1a569ff2f32050

          SHA256

          ed370a8ac58a3d445ea4048baf91705c706e1bbd80af6312839baa332b29998f

          SHA512

          db4c2bce81b76d60b656424500e391a9a70ac0e892b34f29fa4eb511063d77e18e660c1e71c6c46fac1c02376c87cdd7af98c01451d32f110a3a98760e806842

        • C:\Users\Admin\AppData\Local\Temp\00294823\pdjcipflepookpepijkngbcbjmmnfing\sqlite.js

          Filesize

          1KB

          MD5

          51ebf32080f37e6105b265aa1af091c6

          SHA1

          9c165ae706b6ef2fec8f3e66fb817ae751bf17d2

          SHA256

          215a8f7972738a6f80e4424d2391302cff695d90ad8dfa4bc4869cde7ca0407d

          SHA512

          b14e7e8c3ae1faa112374aa02dc46c3d5d2663b9325f84fedca2cc65b3461d19ff160d12161221278927e4b591ff8aa5fbd975e4cdecefec1a809243e8ab6e94

        • \Users\Admin\AppData\Local\Temp\00294823\SgT.exe

          Filesize

          334KB

          MD5

          8300c91b40229b42301aebc6d8859907

          SHA1

          0b55e56a6add6b4dd4ceff475a0018a203d02a5a

          SHA256

          f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

          SHA512

          0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f