Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-10-2024 09:38
General
-
Target
73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
-
Size
691KB
-
MD5
73267c2a412170b3f3df33616b1e1e8e
-
SHA1
bcc8e0537ea776cf75ea83aec75130fc5ba36b43
-
SHA256
4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3
-
SHA512
3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e
-
SSDEEP
12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB
Malware Config
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\RuntimeBroker.exe"C:\Windows\RuntimeBroker.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"2⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 1003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 9003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5f6639aa0f7e43cf09431850b3f473238
SHA13c7740ceacf062f8d71095bb440e280fdd3372ec
SHA256870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e
SHA5121e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94
-
Filesize
260KB
MD51acabd72a026449937fc1cd16d0b5423
SHA1809ea7e21d0e3d80a6445c245daa2e018a417126
SHA25681634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2
SHA51240fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d
-
Filesize
9.9MB
-
Filesize
352KB
-
Filesize
440KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
720KB
-
Filesize
624KB
-
Filesize
9.9MB
-
Filesize
9.9MB